Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
shaLnqmyTS.exe

Overview

General Information

Sample name:shaLnqmyTS.exe
renamed because original name is a hash value
Original sample name:2d38fac7d02a4d32b8579c25ec1ce2d6bb14bc27d846874ad6f1897ca21889cd.exe
Analysis ID:1588696
MD5:8b2612c44a0951e150dc47ba2741d26e
SHA1:0d5a4030a841a8a77c130f6689712e24aaa9a674
SHA256:2d38fac7d02a4d32b8579c25ec1ce2d6bb14bc27d846874ad6f1897ca21889cd
Tags:exeRedLineStealeruser-adrian__luca
Infos:

Detection

RedLine
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • shaLnqmyTS.exe (PID: 1792 cmdline: "C:\Users\user\Desktop\shaLnqmyTS.exe" MD5: 8B2612C44A0951E150DC47BA2741D26E)
    • shaLnqmyTS.exe (PID: 7380 cmdline: "C:\Users\user\Desktop\shaLnqmyTS.exe" MD5: 8B2612C44A0951E150DC47BA2741D26E)
    • shaLnqmyTS.exe (PID: 7388 cmdline: "C:\Users\user\Desktop\shaLnqmyTS.exe" MD5: 8B2612C44A0951E150DC47BA2741D26E)
    • shaLnqmyTS.exe (PID: 7396 cmdline: "C:\Users\user\Desktop\shaLnqmyTS.exe" MD5: 8B2612C44A0951E150DC47BA2741D26E)
    • shaLnqmyTS.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\shaLnqmyTS.exe" MD5: 8B2612C44A0951E150DC47BA2741D26E)
    • shaLnqmyTS.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\shaLnqmyTS.exe" MD5: 8B2612C44A0951E150DC47BA2741D26E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["87.120.120.86:1912"], "Bot Id": "LOGS", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1462210866.00000000041B9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000002.00000002.1462210866.00000000041FC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      0000000A.00000002.3148789208.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000002.00000002.1462210866.0000000004247000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Process Memory Space: shaLnqmyTS.exe PID: 1792JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.shaLnqmyTS.exe.4204b90.3.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              2.2.shaLnqmyTS.exe.4204b90.3.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
              • 0x22ec3:$gen01: ChromeGetRoamingName
              • 0x22ee8:$gen02: ChromeGetLocalName
              • 0x22f2b:$gen03: get_UserDomainName
              • 0x26dc4:$gen04: get_encrypted_key
              • 0x25b43:$gen05: browserPaths
              • 0x25e19:$gen06: GetBrowsers
              • 0x25701:$gen07: get_InstalledInputLanguages
              • 0x21bcc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
              • 0x1218:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
              • 0x4a638:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
              • 0x27206:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
              • 0x272a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
              • 0x278be:$spe9: *wallet*
              • 0x1fbea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
              • 0x20114:$typ03: A937C899247696B6565665BE3BD09607F49A2042
              • 0x201c1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
              • 0x1fb98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
              • 0x1fbc1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
              • 0x1fd92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
              • 0x1ffe5:$typ11: 2A19BFD7333718195216588A698752C517111B02
              • 0x202d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
              2.2.shaLnqmyTS.exe.41b9970.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                2.2.shaLnqmyTS.exe.41b9970.0.raw.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
                • 0x24cc3:$gen01: ChromeGetRoamingName
                • 0x24ce8:$gen02: ChromeGetLocalName
                • 0x24d2b:$gen03: get_UserDomainName
                • 0x28bc4:$gen04: get_encrypted_key
                • 0x27943:$gen05: browserPaths
                • 0x27c19:$gen06: GetBrowsers
                • 0x27501:$gen07: get_InstalledInputLanguages
                • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
                • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
                • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
                • 0x296be:$spe9: *wallet*
                • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
                • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
                • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
                • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
                • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
                • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
                • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
                • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
                2.2.shaLnqmyTS.exe.4204b90.3.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 5 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000002.00000002.1462210866.00000000041B9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": ["87.120.120.86:1912"], "Bot Id": "LOGS", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                  Multi AV Scanner detection for submitted file
                  Source: shaLnqmyTS.exeReversingLabs: Detection: 71%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: shaLnqmyTS.exeJoe Sandbox ML: detected
                  Source: shaLnqmyTS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: shaLnqmyTS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: shaLnqmyTS.exe, 0000000A.00000002.3149408116.00000000014FC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb[ source: shaLnqmyTS.exe, 0000000A.00000002.3153280764.00000000065D0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdbs source: shaLnqmyTS.exe, 0000000A.00000002.3149408116.0000000001544000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: shaLnqmyTS.exe, 0000000A.00000002.3149408116.0000000001544000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb{ source: shaLnqmyTS.exe, 0000000A.00000002.3149408116.00000000014AD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb()Mq source: shaLnqmyTS.exe, 0000000A.00000002.3149408116.00000000014FC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdbG source: shaLnqmyTS.exe, 0000000A.00000002.3153280764.00000000065D0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: shaLnqmyTS.exe, 0000000A.00000002.3149408116.0000000001536000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: shaLnqmyTS.exe, 0000000A.00000002.3149408116.00000000014AD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb_ source: shaLnqmyTS.exe, 0000000A.00000002.3149408116.00000000014AD000.00000004.00000020.00020000.00000000.sdmp

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 87.120.120.86:1912
                  Source: global trafficTCP traffic: 192.168.2.7:49796 -> 87.120.120.86:1912
                  Source: Joe Sandbox ViewIP Address: 87.120.120.86 87.120.120.86
                  Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: shaLnqmyTS.exeString found in binary or memory: http://localhost/arkanoid_server/requests.php
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9LR
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/x
                  Source: shaLnqmyTS.exe, 00000002.00000002.1462210866.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000002.00000002.1462210866.0000000004247000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000002.00000002.1462210866.00000000041FC000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3148789208.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2.2.shaLnqmyTS.exe.4204b90.3.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 2.2.shaLnqmyTS.exe.41b9970.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 2.2.shaLnqmyTS.exe.4204b90.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 2.2.shaLnqmyTS.exe.41b9970.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 10.2.shaLnqmyTS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 2_2_015CDF142_2_015CDF14
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 10_2_02FEDC7410_2_02FEDC74
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 10_2_0576EE5810_2_0576EE58
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 10_2_0576885010_2_05768850
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 10_2_0576004010_2_05760040
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 10_2_0576000710_2_05760007
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 10_2_0576884010_2_05768840
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 10_2_05765A3810_2_05765A38
                  Source: shaLnqmyTS.exe, 00000002.00000002.1462210866.0000000004323000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 00000002.00000002.1462210866.0000000004323000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 00000002.00000002.1460386969.00000000031F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 00000002.00000002.1462210866.0000000004247000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 00000002.00000002.1462210866.0000000004247000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 00000002.00000002.1462210866.00000000041FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 00000002.00000002.1464663159.0000000005A20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 00000002.00000002.1458925430.000000000143E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 00000002.00000000.1300823567.0000000000E32000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedLRK.exe0 vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 00000002.00000002.1465736985.0000000007690000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3149408116.0000000001468000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3148789208.0000000000446000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exeBinary or memory string: OriginalFilenamedLRK.exe0 vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 2.2.shaLnqmyTS.exe.4204b90.3.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 2.2.shaLnqmyTS.exe.41b9970.0.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 2.2.shaLnqmyTS.exe.4204b90.3.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 2.2.shaLnqmyTS.exe.41b9970.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 10.2.shaLnqmyTS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: shaLnqmyTS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal92.troj.evad.winEXE@11/1@0/1
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shaLnqmyTS.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMutant created: NULL
                  Source: shaLnqmyTS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: shaLnqmyTS.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: shaLnqmyTS.exeReversingLabs: Detection: 71%
                  Source: unknownProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: iconcodecservice.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: shaLnqmyTS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: shaLnqmyTS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: shaLnqmyTS.exe, 0000000A.00000002.3149408116.00000000014FC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb[ source: shaLnqmyTS.exe, 0000000A.00000002.3153280764.00000000065D0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdbs source: shaLnqmyTS.exe, 0000000A.00000002.3149408116.0000000001544000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: shaLnqmyTS.exe, 0000000A.00000002.3149408116.0000000001544000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb{ source: shaLnqmyTS.exe, 0000000A.00000002.3149408116.00000000014AD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb()Mq source: shaLnqmyTS.exe, 0000000A.00000002.3149408116.00000000014FC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdbG source: shaLnqmyTS.exe, 0000000A.00000002.3153280764.00000000065D0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: shaLnqmyTS.exe, 0000000A.00000002.3149408116.0000000001536000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: shaLnqmyTS.exe, 0000000A.00000002.3149408116.00000000014AD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb_ source: shaLnqmyTS.exe, 0000000A.00000002.3149408116.00000000014AD000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 2_2_015CEE60 push esp; iretd 2_2_015CEE61
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 10_2_057622A6 push cs; iretd 10_2_057622A8
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 10_2_0576D442 push eax; ret 10_2_0576D451
                  Source: shaLnqmyTS.exeStatic PE information: section name: .text entropy: 7.813051520440733
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: shaLnqmyTS.exe PID: 1792, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: 15C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: 31B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: 3100000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: 7860000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: 8860000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: 89F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: 99F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: 2FE0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: 3210000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: 3120000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exe TID: 6708Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: shaLnqmyTS.exe, 0000000A.00000002.3149408116.00000000014FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Users\user\Desktop\shaLnqmyTS.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Users\user\Desktop\shaLnqmyTS.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 2.2.shaLnqmyTS.exe.4204b90.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.shaLnqmyTS.exe.41b9970.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.shaLnqmyTS.exe.4204b90.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.shaLnqmyTS.exe.41b9970.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.shaLnqmyTS.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.1462210866.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1462210866.00000000041FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.3148789208.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1462210866.0000000004247000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: shaLnqmyTS.exe PID: 1792, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: shaLnqmyTS.exe PID: 7412, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 2.2.shaLnqmyTS.exe.4204b90.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.shaLnqmyTS.exe.41b9970.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.shaLnqmyTS.exe.4204b90.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.shaLnqmyTS.exe.41b9970.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.shaLnqmyTS.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.1462210866.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1462210866.00000000041FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.3148789208.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1462210866.0000000004247000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: shaLnqmyTS.exe PID: 1792, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: shaLnqmyTS.exe PID: 7412, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                  DLL Side-Loading                  		11
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping1
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                  Virtualization/Sandbox Evasion                  		Security Account Manager31
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                  Process Injection                  		NTDS12
                  System Information Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                  Obfuscated Files or Information                  		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Software Packing                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  shaLnqmyTS.exe71%ReversingLabsWin32.Ransomware.RedLine
                  shaLnqmyTS.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  87.120.120.86:1912false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://tempuri.org/Entity/Id10ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://tempuri.org/Entity/Id24LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://tempuri.org/Entity/Id8ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id22LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id20LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id12ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/soap/envelope/shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id2ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id21ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id19LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id23ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id17LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id15LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id9LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id19ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id13LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id7LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://tempuri.org/Entity/Id11LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/faultshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id17ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/Entity/Id1LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id5LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id20ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id3LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id15ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id13ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id4ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id6ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://api.ip.sb/ipshaLnqmyTS.exe, 00000002.00000002.1462210866.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000002.00000002.1462210866.0000000004247000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000002.00000002.1462210866.00000000041FC000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3148789208.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id23LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id7ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id21LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/xshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/Entity/Id11ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Entity/Id9ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://tempuri.org/Entity/Id22ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id23shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id24ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id1ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id18LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id16LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id8LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id14LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id6LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/Id18ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id12LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressingshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id10LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://tempuri.org/Entity/Id4LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://tempuri.org/Entity/Id2LRshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/rmXshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://tempuri.org/Entity/Id3ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://localhost/arkanoid_server/requests.phpshaLnqmyTS.exefalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessageshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://tempuri.org/Entity/Id16ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://tempuri.org/Entity/Id5ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.xmlsoap.org/soap/actor/nextshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://tempuri.org/Entity/Id14ResponseshaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003410000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000345F000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003211000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.0000000003373000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 0000000A.00000002.3150380567.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high

                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                          Public IPs

                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                          87.120.120.86
                                                                                                                                                          		unknownBulgaria
                                                                                                                                                          		25206UNACS-AS-BG8000BurgasBGtrue

                                                                                                                                                          General Information

                                                                                                                                                          Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                          Analysis ID:1588696
                                                                                                                                                          Start date and time:2025-01-11 04:24:06 +01:00
                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                          Overall analysis duration:0h 6m 2s
                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                          Report type:full
                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                          Run name:Run with higher sleep bypass
                                                                                                                                                          Number of analysed new started processes analysed:15
                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                          Technologies:
                                                                                                                                                          • HCA enabled
                                                                                                                                                          • EGA enabled
                                                                                                                                                          • AMSI enabled
                                                                                                                                                          Analysis Mode:default
                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                          Sample name:shaLnqmyTS.exe
                                                                                                                                                          renamed because original name is a hash value
                                                                                                                                                          Original Sample Name:2d38fac7d02a4d32b8579c25ec1ce2d6bb14bc27d846874ad6f1897ca21889cd.exe
                                                                                                                                                          Detection:MAL
                                                                                                                                                          Classification:mal92.troj.evad.winEXE@11/1@0/1
                                                                                                                                                          EGA Information:
                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                          HCA Information:
                                                                                                                                                          • Successful, ratio: 99%
                                                                                                                                                          • Number of executed functions: 25
                                                                                                                                                          • Number of non-executed functions: 1
                                                                                                                                                          Cookbook Comments:
                                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                                                          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                                                                                          Warnings

                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 13.107.246.45, 2.23.242.162, 172.202.163.200
                                                                                                                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                          • VT rate limit hit for: shaLnqmyTS.exe

                                                                                                                                                          Simulations

                                                                                                                                                          Behavior and APIs

                                                                                                                                                          No simulations

                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                          IPs

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                          87.120.120.86zAGUEDGSTM.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                            C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                              C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                VmoLw6EKj5.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                  Xf3rn1smZw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                    2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                      2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                        17.12.2024 ________.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                          #U0417#U0430#U043f#U0440#U043e#U0441 11.12.2024.exeGet hashmaliciousRedLineBrowse

                                                                                                                                                                            Domains

                                                                                                                                                                            No context

                                                                                                                                                                            ASNs

                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                            UNACS-AS-BG8000BurgasBGzAGUEDGSTM.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                            • 87.120.120.86
                                                                                                                                                                            WtZl31OLfA.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                            • 87.120.116.187
                                                                                                                                                                            C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                            • 87.120.120.86
                                                                                                                                                                            C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                            • 87.120.120.86
                                                                                                                                                                            2XnMqJW0u1.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                            • 87.120.120.15
                                                                                                                                                                            VmoLw6EKj5.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                            • 87.120.120.86
                                                                                                                                                                            QwMcsmYcxv.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                                                                                                                                            • 87.120.120.15
                                                                                                                                                                            QwMcsmYcxv.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                                                                                                                                            • 87.120.120.15
                                                                                                                                                                            Xf3rn1smZw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                            • 87.120.120.86

                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                            No context

                                                                                                                                                                            Dropped Files

                                                                                                                                                                            No context

                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shaLnqmyTS.exe.log

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\shaLnqmyTS.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1216
                                                                                                                                                                            Entropy (8bit):5.34331486778365
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                            Static File Info

                                                                                                                                                                            General

                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Entropy (8bit):7.637446024094241
                                                                                                                                                                            TrID:
                                                                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                            File name:shaLnqmyTS.exe
                                                                                                                                                                            File size:788'480 bytes
                                                                                                                                                                            MD5:8b2612c44a0951e150dc47ba2741d26e
                                                                                                                                                                            SHA1:0d5a4030a841a8a77c130f6689712e24aaa9a674
                                                                                                                                                                            SHA256:2d38fac7d02a4d32b8579c25ec1ce2d6bb14bc27d846874ad6f1897ca21889cd
                                                                                                                                                                            SHA512:87052019e30f961c6a77889e789f246d1c529834c90122f3c3a781ee58b519db311b31f36309ae2e56706ccc2a0e34b545ddb054d9fc5cf81700e1c76510387e
                                                                                                                                                                            SSDEEP:12288:uIR4R52J+XtLKxw9rbrramF93MFTzEiBBs/iTxAKnAHORfoO9FHF9jD7Qx1MxQh:uIeew9rbKmF93MxzRTqKnYOBvHPO
                                                                                                                                                                            TLSH:B0F402A8BA42C846DC0153740D76F5B416696FECF411931F2BDA7FABFCB3A13049A246
                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../tNg..............0.............R.... ... ....@.. .......................`............@................................

                                                                                                                                                                            File Icon

                                                                                                                                                                            Icon Hash:4b66a4ecc5ce527b

                                                                                                                                                                            Static PE Info

                                                                                                                                                                            General

                                                                                                                                                                            Entrypoint:0x4b0e52
                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                            Time Stamp:0x674E742F [Tue Dec 3 02:59:59 2024 UTC]
                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                            OS Version Major:4
                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                            File Version Major:4
                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                            Subsystem Version Major:4
                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                            Instruction
                                                                                                                                                                            jmp dword ptr [00402000h]
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al

                                                                                                                                                                            Data Directories

                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb0e000x4f.text
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000x10e14.rsrc
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc40000xc.reloc
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                            Sections

                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                            .text0x20000xaee580xaf000657dd4a31c46c11de6cd16845227f84eFalse0.9366043526785715data7.813051520440733IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .rsrc0xb20000x10e140x11000d4415ba155e955a7f9fae907e9b85678False0.21964039522058823data4.392571462049695IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .reloc0xc40000xc0x40030c2fd1c86f99d78ba2cd8aa63c81816False0.025390625data0.04468700625387198IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                            Resources

                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                            RT_ICON0xb21600x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m0.21470188098899798
                                                                                                                                                                            RT_GROUP_ICON0xc29880x14data1.0
                                                                                                                                                                            RT_GROUP_ICON0xc299c0x14data1.05
                                                                                                                                                                            RT_VERSION0xc29b00x278data0.47151898734177217
                                                                                                                                                                            RT_MANIFEST0xc2c280x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                            Imports

                                                                                                                                                                            DLLImport
                                                                                                                                                                            mscoree.dll_CorExeMain

                                                                                                                                                                            Network Behavior

                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                            TCP Packets

                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                            Jan 11, 2025 04:25:26.522555113 CET497961912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:25:26.527452946 CET19124979687.120.120.86192.168.2.7
                                                                                                                                                                            Jan 11, 2025 04:25:26.527555943 CET497961912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:25:26.538259029 CET497961912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:25:26.543174028 CET19124979687.120.120.86192.168.2.7
                                                                                                                                                                            Jan 11, 2025 04:25:47.907855988 CET19124979687.120.120.86192.168.2.7
                                                                                                                                                                            Jan 11, 2025 04:25:47.908021927 CET497961912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:25:47.935249090 CET497961912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:25:52.967824936 CET499601912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:25:52.972642899 CET19124996087.120.120.86192.168.2.7
                                                                                                                                                                            Jan 11, 2025 04:25:52.972733974 CET499601912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:25:52.973001957 CET499601912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:25:52.977816105 CET19124996087.120.120.86192.168.2.7
                                                                                                                                                                            Jan 11, 2025 04:26:14.345091105 CET19124996087.120.120.86192.168.2.7
                                                                                                                                                                            Jan 11, 2025 04:26:14.345182896 CET499601912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:26:14.345632076 CET499601912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:26:19.357985973 CET499751912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:26:19.362853050 CET19124997587.120.120.86192.168.2.7
                                                                                                                                                                            Jan 11, 2025 04:26:19.363006115 CET499751912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:26:19.363218069 CET499751912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:26:19.367978096 CET19124997587.120.120.86192.168.2.7
                                                                                                                                                                            Jan 11, 2025 04:26:40.735017061 CET19124997587.120.120.86192.168.2.7
                                                                                                                                                                            Jan 11, 2025 04:26:40.735096931 CET499751912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:26:40.735310078 CET499751912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:26:45.748126984 CET499771912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:26:45.753030062 CET19124997787.120.120.86192.168.2.7
                                                                                                                                                                            Jan 11, 2025 04:26:45.753196001 CET499771912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:26:45.753388882 CET499771912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:26:45.758192062 CET19124997787.120.120.86192.168.2.7
                                                                                                                                                                            Jan 11, 2025 04:27:07.112567902 CET19124997787.120.120.86192.168.2.7
                                                                                                                                                                            Jan 11, 2025 04:27:07.112739086 CET499771912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:27:07.112973928 CET499771912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:27:12.124524117 CET499781912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:27:12.129560947 CET19124997887.120.120.86192.168.2.7
                                                                                                                                                                            Jan 11, 2025 04:27:12.129648924 CET499781912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:27:12.129878998 CET499781912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:27:12.134711981 CET19124997887.120.120.86192.168.2.7
                                                                                                                                                                            Jan 11, 2025 04:27:33.484312057 CET19124997887.120.120.86192.168.2.7
                                                                                                                                                                            Jan 11, 2025 04:27:33.484397888 CET499781912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:27:33.484666109 CET499781912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:27:38.498639107 CET499791912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:27:38.505103111 CET19124997987.120.120.86192.168.2.7
                                                                                                                                                                            Jan 11, 2025 04:27:38.505291939 CET499791912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:27:38.505477905 CET499791912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:27:38.510226965 CET19124997987.120.120.86192.168.2.7
                                                                                                                                                                            Jan 11, 2025 04:27:59.861680984 CET19124997987.120.120.86192.168.2.7
                                                                                                                                                                            Jan 11, 2025 04:27:59.861846924 CET499791912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:27:59.865021944 CET499791912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:28:04.873548985 CET499801912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:28:04.878539085 CET19124998087.120.120.86192.168.2.7
                                                                                                                                                                            Jan 11, 2025 04:28:04.878652096 CET499801912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:28:04.878916979 CET499801912192.168.2.787.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:28:04.883765936 CET19124998087.120.120.86192.168.2.7

                                                                                                                                                                            Statistics

                                                                                                                                                                            CPU Usage

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            Memory Usage

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                            Behavior

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            System Behavior

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:2
                                                                                                                                                                            Start time:22:25:05
                                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                                            Path:C:\Users\user\Desktop\shaLnqmyTS.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\shaLnqmyTS.exe"
                                                                                                                                                                            Imagebase:0xd80000
                                                                                                                                                                            File size:788'480 bytes
                                                                                                                                                                            MD5 hash:8B2612C44A0951E150DC47BA2741D26E
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1462210866.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1462210866.00000000041FC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1462210866.0000000004247000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:6
                                                                                                                                                                            Start time:22:25:21
                                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                                            Path:C:\Users\user\Desktop\shaLnqmyTS.exe
                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\shaLnqmyTS.exe"
                                                                                                                                                                            Imagebase:0xe0000
                                                                                                                                                                            File size:788'480 bytes
                                                                                                                                                                            MD5 hash:8B2612C44A0951E150DC47BA2741D26E
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:7
                                                                                                                                                                            Start time:22:25:21
                                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                                            Path:C:\Users\user\Desktop\shaLnqmyTS.exe
                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\shaLnqmyTS.exe"
                                                                                                                                                                            Imagebase:0x3b0000
                                                                                                                                                                            File size:788'480 bytes
                                                                                                                                                                            MD5 hash:8B2612C44A0951E150DC47BA2741D26E
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:8
                                                                                                                                                                            Start time:22:25:21
                                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                                            Path:C:\Users\user\Desktop\shaLnqmyTS.exe
                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\shaLnqmyTS.exe"
                                                                                                                                                                            Imagebase:0x40000
                                                                                                                                                                            File size:788'480 bytes
                                                                                                                                                                            MD5 hash:8B2612C44A0951E150DC47BA2741D26E
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:9
                                                                                                                                                                            Start time:22:25:21
                                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                                            Path:C:\Users\user\Desktop\shaLnqmyTS.exe
                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\shaLnqmyTS.exe"
                                                                                                                                                                            Imagebase:0x300000
                                                                                                                                                                            File size:788'480 bytes
                                                                                                                                                                            MD5 hash:8B2612C44A0951E150DC47BA2741D26E
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:10
                                                                                                                                                                            Start time:22:25:21
                                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                                            Path:C:\Users\user\Desktop\shaLnqmyTS.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\shaLnqmyTS.exe"
                                                                                                                                                                            Imagebase:0xe00000
                                                                                                                                                                            File size:788'480 bytes
                                                                                                                                                                            MD5 hash:8B2612C44A0951E150DC47BA2741D26E
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000002.3148789208.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Has exited:false

                                                                                                                                                                            Disassembly

                                                                                                                                                                            Reset < >

                                                                                                                                                                              Execution Graph

                                                                                                                                                                              Execution Coverage:7%
                                                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                              Signature Coverage:0%
                                                                                                                                                                              Total number of Nodes:38
                                                                                                                                                                              Total number of Limit Nodes:7
                                                                                                                                                                              execution_graph 17388 15cafd8 17392 15cb0bf 17388->17392 17397 15cb0d0 17388->17397 17389 15cafe7 17393 15cb104 17392->17393 17394 15cb0e1 17392->17394 17393->17389 17394->17393 17395 15cb308 GetModuleHandleW 17394->17395 17396 15cb335 17395->17396 17396->17389 17398 15cb104 17397->17398 17399 15cb0e1 17397->17399 17398->17389 17399->17398 17400 15cb308 GetModuleHandleW 17399->17400 17401 15cb335 17400->17401 17401->17389 17402 15cd358 17403 15cd39e GetCurrentProcess 17402->17403 17405 15cd3f0 GetCurrentThread 17403->17405 17409 15cd3e9 17403->17409 17406 15cd42d GetCurrentProcess 17405->17406 17407 15cd426 17405->17407 17408 15cd463 17406->17408 17407->17406 17410 15cd48b GetCurrentThreadId 17408->17410 17409->17405 17411 15cd4bc 17410->17411 17412 15c4668 17413 15c4672 17412->17413 17415 15c4758 17412->17415 17416 15c477d 17415->17416 17420 15c4858 17416->17420 17424 15c4868 17416->17424 17417 15c4787 17417->17413 17421 15c488f 17420->17421 17422 15c496c 17421->17422 17428 15c44b4 17421->17428 17422->17417 17425 15c488f 17424->17425 17426 15c496c 17425->17426 17427 15c44b4 CreateActCtxA 17425->17427 17426->17417 17427->17426 17429 15c58f8 CreateActCtxA 17428->17429 17431 15c59bb 17429->17431 17432 15cd5a0 DuplicateHandle 17433 15cd636 17432->17433

                                                                                                                                                                              Executed Functions

                                                                                                                                                                              Function 015CD348 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 294 15cd348-15cd3e7 GetCurrentProcess 298 15cd3e9-15cd3ef 294->298 299 15cd3f0-15cd424 GetCurrentThread 294->299 298->299 300 15cd42d-15cd461 GetCurrentProcess 299->300 301 15cd426-15cd42c 299->301 302 15cd46a-15cd485 call 15cd528 300->302 303 15cd463-15cd469 300->303 301->300 307 15cd48b-15cd4ba GetCurrentThreadId 302->307 303->302 308 15cd4bc-15cd4c2 307->308 309 15cd4c3-15cd525 307->309 308->309
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 015CD3D6
                                                                                                                                                                              • GetCurrentThread.KERNEL32 ref: 015CD413
                                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 015CD450
                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 015CD4A9
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000002.00000002.1459547273.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_2_2_15c0000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2063062207-0
                                                                                                                                                                              • Opcode ID: 8aacec869e695318b66b03ab7dbfbee9a756692e72f9a0a5a752b284d2282fb1
                                                                                                                                                                              • Instruction ID: 3f68756035e5b09bab5e9cac64ea3a0982a5e8eb7ac4913405d3fb202d772942
                                                                                                                                                                              • Opcode Fuzzy Hash: 8aacec869e695318b66b03ab7dbfbee9a756692e72f9a0a5a752b284d2282fb1
                                                                                                                                                                              • Instruction Fuzzy Hash: 4E5146B09013098FDB18CFAAD5887DEBBF1BF48714F20845EE549AB350D7746944CB66
                                                                                                                                                                              Function 015CD358 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 316 15cd358-15cd3e7 GetCurrentProcess 320 15cd3e9-15cd3ef 316->320 321 15cd3f0-15cd424 GetCurrentThread 316->321 320->321 322 15cd42d-15cd461 GetCurrentProcess 321->322 323 15cd426-15cd42c 321->323 324 15cd46a-15cd485 call 15cd528 322->324 325 15cd463-15cd469 322->325 323->322 329 15cd48b-15cd4ba GetCurrentThreadId 324->329 325->324 330 15cd4bc-15cd4c2 329->330 331 15cd4c3-15cd525 329->331 330->331
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 015CD3D6
                                                                                                                                                                              • GetCurrentThread.KERNEL32 ref: 015CD413
                                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 015CD450
                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 015CD4A9
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000002.00000002.1459547273.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_2_2_15c0000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2063062207-0
                                                                                                                                                                              • Opcode ID: dd61614b3f0fd09ffe5c5b2dbf282d87d92aefaa8fe06be3f83b0d067ec651c6
                                                                                                                                                                              • Instruction ID: 36af06252983f613c7d2caa86790d01c9ad80e42cbf593c4b7fab0bdb1a03e45
                                                                                                                                                                              • Opcode Fuzzy Hash: dd61614b3f0fd09ffe5c5b2dbf282d87d92aefaa8fe06be3f83b0d067ec651c6
                                                                                                                                                                              • Instruction Fuzzy Hash: 955136B09003098FDB18CFAAD588BDEBBF1BF88714F20845DE149AB350D7746944CB66
                                                                                                                                                                              Function 015CB0D0 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 360 15cb0d0-15cb0df 361 15cb10b-15cb10f 360->361 362 15cb0e1-15cb0ee call 15c9ad4 360->362 364 15cb111-15cb11b 361->364 365 15cb123-15cb164 361->365 367 15cb104 362->367 368 15cb0f0 362->368 364->365 371 15cb166-15cb16e 365->371 372 15cb171-15cb17f 365->372 367->361 415 15cb0f6 call 15cb358 368->415 416 15cb0f6 call 15cb368 368->416 371->372 373 15cb181-15cb186 372->373 374 15cb1a3-15cb1a5 372->374 376 15cb188-15cb18f call 15caab4 373->376 377 15cb191 373->377 379 15cb1a8-15cb1af 374->379 375 15cb0fc-15cb0fe 375->367 378 15cb240-15cb300 375->378 381 15cb193-15cb1a1 376->381 377->381 410 15cb308-15cb333 GetModuleHandleW 378->410 411 15cb302-15cb305 378->411 382 15cb1bc-15cb1c3 379->382 383 15cb1b1-15cb1b9 379->383 381->379 385 15cb1c5-15cb1cd 382->385 386 15cb1d0-15cb1d9 call 15caac4 382->386 383->382 385->386 391 15cb1db-15cb1e3 386->391 392 15cb1e6-15cb1eb 386->392 391->392 393 15cb1ed-15cb1f4 392->393 394 15cb209-15cb216 392->394 393->394 396 15cb1f6-15cb206 call 15caad4 call 15caae4 393->396 401 15cb218-15cb236 394->401 402 15cb239-15cb23f 394->402 396->394 401->402 412 15cb33c-15cb350 410->412 413 15cb335-15cb33b 410->413 411->410 413->412 415->375 416->375
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 015CB326
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000002.00000002.1459547273.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_2_2_15c0000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                                              • Opcode ID: 5213f2aa90d42852394caf6bc5c3b6ffa0e758db96441d9bf69acb4dc4bb21bc
                                                                                                                                                                              • Instruction ID: d17b9b3d6386c28634bb072af28921d750bfbb1157adc0776a982fe03bfaa179
                                                                                                                                                                              • Opcode Fuzzy Hash: 5213f2aa90d42852394caf6bc5c3b6ffa0e758db96441d9bf69acb4dc4bb21bc
                                                                                                                                                                              • Instruction Fuzzy Hash: A47147B0A00B458FEB24CFAAD54575ABBF1FF88640F00892ED48ADBA50D775E845CB91
                                                                                                                                                                              Function 015C44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 417 15c44b4-15c59b9 CreateActCtxA 420 15c59bb-15c59c1 417->420 421 15c59c2-15c5a1c 417->421 420->421 428 15c5a1e-15c5a21 421->428 429 15c5a2b-15c5a2f 421->429 428->429 430 15c5a40 429->430 431 15c5a31-15c5a3d 429->431 433 15c5a41 430->433 431->430 433->433
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 015C59A9
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000002.00000002.1459547273.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_2_2_15c0000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Create
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                              • Opcode ID: e3bd176bb00d0ceae347ddfc7b023a3d51d5fe9c7bd8bfc6965d886f3ce44e7c
                                                                                                                                                                              • Instruction ID: 3b03b12d9a45b9bb7c57c36439c42aa68014719082605306ac979921fa538dd7
                                                                                                                                                                              • Opcode Fuzzy Hash: e3bd176bb00d0ceae347ddfc7b023a3d51d5fe9c7bd8bfc6965d886f3ce44e7c
                                                                                                                                                                              • Instruction Fuzzy Hash: 8741DD70D10719CFEB24CFAAC884B9EBBF5BF49704F20806AD408AB251EB756945CF91
                                                                                                                                                                              Function 015C58ED Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 434 15c58ed-15c58ef 435 15c58fc-15c59b9 CreateActCtxA 434->435 437 15c59bb-15c59c1 435->437 438 15c59c2-15c5a1c 435->438 437->438 445 15c5a1e-15c5a21 438->445 446 15c5a2b-15c5a2f 438->446 445->446 447 15c5a40 446->447 448 15c5a31-15c5a3d 446->448 450 15c5a41 447->450 448->447 450->450
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 015C59A9
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000002.00000002.1459547273.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_2_2_15c0000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Create
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                              • Opcode ID: 859c07c6e02ada7efc98d844ce83ed859a244602b4ae6e494f7bf64ee902229e
                                                                                                                                                                              • Instruction ID: 5a8a29b35bddcc8a85cbd1589f58f38990c1791b9fa72500a3df229c8b129a6d
                                                                                                                                                                              • Opcode Fuzzy Hash: 859c07c6e02ada7efc98d844ce83ed859a244602b4ae6e494f7bf64ee902229e
                                                                                                                                                                              • Instruction Fuzzy Hash: 6041DE70D10719CFEB24DFAAC8847DDBBB5BF48704F20806AD408AB251DB756946CF51
                                                                                                                                                                              Function 015CD5A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 451 15cd5a0-15cd634 DuplicateHandle 452 15cd63d-15cd65a 451->452 453 15cd636-15cd63c 451->453 453->452
                                                                                                                                                                              APIs
                                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015CD627
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000002.00000002.1459547273.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_2_2_15c0000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                                              • Opcode ID: 409d6f6136e058ad70ded0907c62f59db7ad8a0dd14e1b1724a70f4b770a4aca
                                                                                                                                                                              • Instruction ID: a58b0657c5148b128dfea576da60edeaf098efb2b78e3aac0b1a29fff812420c
                                                                                                                                                                              • Opcode Fuzzy Hash: 409d6f6136e058ad70ded0907c62f59db7ad8a0dd14e1b1724a70f4b770a4aca
                                                                                                                                                                              • Instruction Fuzzy Hash: 0A21E4B5D00208DFDB10CFAAD884ADEBBF4FB48310F14841AE918A7350C375A940CFA5
                                                                                                                                                                              Function 015CD599 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 456 15cd599-15cd634 DuplicateHandle 457 15cd63d-15cd65a 456->457 458 15cd636-15cd63c 456->458 458->457
                                                                                                                                                                              APIs
                                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015CD627
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000002.00000002.1459547273.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_2_2_15c0000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                                              • Opcode ID: dc378a1708053e98c54f6b1b94ed95d4cab4dfd1e0f022b0d16bb153acf4b7e3
                                                                                                                                                                              • Instruction ID: efc2c6bb1009aabb800713575d9bc14905662529d05bf80a4c808a911e5c19cc
                                                                                                                                                                              • Opcode Fuzzy Hash: dc378a1708053e98c54f6b1b94ed95d4cab4dfd1e0f022b0d16bb153acf4b7e3
                                                                                                                                                                              • Instruction Fuzzy Hash: 0921E4B5D00208DFDB10CFAAD584ADEBBF4FB48324F14841AE958A7350D374A940CFA5
                                                                                                                                                                              Function 015CB2C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 461 15cb2c0-15cb300 462 15cb308-15cb333 GetModuleHandleW 461->462 463 15cb302-15cb305 461->463 464 15cb33c-15cb350 462->464 465 15cb335-15cb33b 462->465 463->462 465->464
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 015CB326
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000002.00000002.1459547273.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_2_2_15c0000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                                              • Opcode ID: 84a05adbedc6e5672adb7718f5236b0545e4e289b1efcbc898ce434182473a09
                                                                                                                                                                              • Instruction ID: ea7272acfdf75a78b2d5c0d24715539c6da26feb4f1853e6acd64cb38ee078c6
                                                                                                                                                                              • Opcode Fuzzy Hash: 84a05adbedc6e5672adb7718f5236b0545e4e289b1efcbc898ce434182473a09
                                                                                                                                                                              • Instruction Fuzzy Hash: E01110B6C003498FDB20CF9AD444BDEFBF4BF88624F10841AD818A7200C379A545CFA5
                                                                                                                                                                              Function 0153D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000002.00000002.1459301500.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_2_2_153d000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 726de5565d893e668651e6f50732cb618583ecb7cf09d35f2bc2c7b8cd8fc754
                                                                                                                                                                              • Instruction ID: a44123198dc7c2aaa46880820a877bcfebfd6d23c4f481f4049f39a7e40533a4
                                                                                                                                                                              • Opcode Fuzzy Hash: 726de5565d893e668651e6f50732cb618583ecb7cf09d35f2bc2c7b8cd8fc754
                                                                                                                                                                              • Instruction Fuzzy Hash: 8F21FF71604200AFDB15DFA4D980B2AFBB5FB84714F60C969E84A0F292D33AD447CA62
                                                                                                                                                                              Function 0153D006 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000002.00000002.1459301500.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_2_2_153d000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 6df33eb3100bf282494034348d635c4452ae574387fd3cad3e7662cd064ddd01
                                                                                                                                                                              • Instruction ID: e47cd5fc5ad8aca1e010a224dc98138a2d1e982f59befd6965a84f6bc759010b
                                                                                                                                                                              • Opcode Fuzzy Hash: 6df33eb3100bf282494034348d635c4452ae574387fd3cad3e7662cd064ddd01
                                                                                                                                                                              • Instruction Fuzzy Hash: 5B2180755093808FCB12CF64D994715FF71FB86214F28C5DAD8498F6A7C33A980ACB62
                                                                                                                                                                              Function 0142D731 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000002.00000002.1458882064.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_2_2_142d000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: c7ba927837ba6c13cc020d59a5425261f703c651dcbacf604a90a6be7af48c20
                                                                                                                                                                              • Instruction ID: b76f38f753b0a1e2c1ec407bb31fba616cad2624e28a8d201027f7f0999e7cea
                                                                                                                                                                              • Opcode Fuzzy Hash: c7ba927837ba6c13cc020d59a5425261f703c651dcbacf604a90a6be7af48c20
                                                                                                                                                                              • Instruction Fuzzy Hash: 8901A7718043949BF7205AA5CDC47A7BBD8DF81224F54C56BED494F2A2C27C9881CAB6
                                                                                                                                                                              Function 0142D730 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000002.00000002.1458882064.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_2_2_142d000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 04c348ab4cf953214aef6a56f9aaa18aa43d54884442038480537b94f3fab1ab
                                                                                                                                                                              • Instruction ID: 89817b87e549efab844cfe9d5bbadfea009a8347292e93def928359dcd5b3bea
                                                                                                                                                                              • Opcode Fuzzy Hash: 04c348ab4cf953214aef6a56f9aaa18aa43d54884442038480537b94f3fab1ab
                                                                                                                                                                              • Instruction Fuzzy Hash: D3F062714053949FE7208E1AC984B67FFD8EB81634F18C55AED484F297C2799844CAB5

                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                              Function 015CDF14 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000002.00000002.1459547273.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_2_2_15c0000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 1760ac1a7e3f7886009d7b784beeeb3d1c39fc2ad2c7a15957f1d014c396c9b1
                                                                                                                                                                              • Instruction ID: 4c00ddfb1bbe3e097aa7ce2a06ec103b22faf2d0fe2d06f7d7684f6de9a1411a
                                                                                                                                                                              • Opcode Fuzzy Hash: 1760ac1a7e3f7886009d7b784beeeb3d1c39fc2ad2c7a15957f1d014c396c9b1
                                                                                                                                                                              • Instruction Fuzzy Hash: 93A14932E0021A8FCF15DFF5C88059EBBB2BF84700B15456EE915AF265EB71E955CB80

                                                                                                                                                                              Execution Graph

                                                                                                                                                                              Execution Coverage:8.5%
                                                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                              Signature Coverage:0%
                                                                                                                                                                              Total number of Nodes:120
                                                                                                                                                                              Total number of Limit Nodes:7
                                                                                                                                                                              execution_graph 29255 2fed0b8 29256 2fed0bd 29255->29256 29260 2fed298 29256->29260 29263 2fed289 29256->29263 29257 2fed1eb 29266 2fec9a0 29260->29266 29264 2fed2c6 29263->29264 29265 2fec9a0 DuplicateHandle 29263->29265 29264->29257 29265->29264 29267 2fed300 DuplicateHandle 29266->29267 29269 2fed2c6 29267->29269 29269->29257 29270 17ad01c 29271 17ad034 29270->29271 29272 17ad08e 29271->29272 29275 5760ad4 29271->29275 29284 5762c08 29271->29284 29278 5760adf 29275->29278 29276 5762c79 29309 5760bfc 29276->29309 29278->29276 29279 5762c69 29278->29279 29293 5762da0 29279->29293 29298 5762d90 29279->29298 29303 5762e6c 29279->29303 29280 5762c77 29285 5762c18 29284->29285 29286 5762c79 29285->29286 29289 5762c69 29285->29289 29287 5760bfc CallWindowProcW 29286->29287 29288 5762c77 29287->29288 29290 5762da0 CallWindowProcW 29289->29290 29291 5762d90 CallWindowProcW 29289->29291 29292 5762e6c CallWindowProcW 29289->29292 29290->29288 29291->29288 29292->29288 29295 5762db4 29293->29295 29294 5762e40 29294->29280 29313 5762e58 29295->29313 29316 5762e48 29295->29316 29300 5762da0 29298->29300 29299 5762e40 29299->29280 29301 5762e58 CallWindowProcW 29300->29301 29302 5762e48 CallWindowProcW 29300->29302 29301->29299 29302->29299 29304 5762e2a 29303->29304 29305 5762e7a 29303->29305 29307 5762e58 CallWindowProcW 29304->29307 29308 5762e48 CallWindowProcW 29304->29308 29306 5762e40 29306->29280 29307->29306 29308->29306 29310 5760c01 29309->29310 29311 576435a CallWindowProcW 29310->29311 29312 5764309 29310->29312 29311->29312 29312->29280 29314 5762e69 29313->29314 29320 576429b 29313->29320 29314->29294 29317 5762e58 29316->29317 29318 5762e69 29317->29318 29319 576429b CallWindowProcW 29317->29319 29318->29294 29319->29318 29321 5760bfc CallWindowProcW 29320->29321 29322 57642aa 29321->29322 29322->29314 29323 2fe4668 29324 2fe4684 29323->29324 29325 2fe4696 29324->29325 29329 2fe47a0 29324->29329 29334 2fe3e10 29325->29334 29327 2fe46b5 29330 2fe47c5 29329->29330 29338 2fe48b0 29330->29338 29342 2fe48a1 29330->29342 29335 2fe3e1b 29334->29335 29350 2fe5c54 29335->29350 29337 2fe6ff0 29337->29327 29340 2fe48d7 29338->29340 29339 2fe49b4 29339->29339 29340->29339 29346 2fe4248 29340->29346 29344 2fe48b0 29342->29344 29343 2fe49b4 29344->29343 29345 2fe4248 CreateActCtxA 29344->29345 29345->29343 29347 2fe5940 CreateActCtxA 29346->29347 29349 2fe5a03 29347->29349 29351 2fe5c5f 29350->29351 29354 2fe5c64 29351->29354 29353 2fe709d 29353->29337 29355 2fe5c6f 29354->29355 29358 2fe5c94 29355->29358 29357 2fe717a 29357->29353 29359 2fe5c9f 29358->29359 29362 2fe5cc4 29359->29362 29361 2fe726d 29361->29357 29363 2fe5ccf 29362->29363 29365 2fe8653 29363->29365 29369 2fead00 29363->29369 29364 2fe8691 29364->29361 29365->29364 29373 2fecde0 29365->29373 29378 2fecdf0 29365->29378 29383 2fead38 29369->29383 29386 2fead28 29369->29386 29370 2fead16 29370->29365 29374 2fece11 29373->29374 29375 2fece35 29374->29375 29394 2fecfa0 29374->29394 29398 2fecf90 29374->29398 29375->29364 29379 2fece11 29378->29379 29380 2fece35 29379->29380 29381 2fecfa0 GetModuleHandleW 29379->29381 29382 2fecf90 GetModuleHandleW 29379->29382 29380->29364 29381->29380 29382->29380 29389 2feae30 29383->29389 29384 2fead47 29384->29370 29387 2fead47 29386->29387 29388 2feae30 GetModuleHandleW 29386->29388 29387->29370 29388->29387 29390 2feae64 29389->29390 29392 2feae41 29389->29392 29390->29384 29391 2feb068 GetModuleHandleW 29393 2feb095 29391->29393 29392->29390 29392->29391 29393->29384 29396 2fecfad 29394->29396 29395 2fecfe7 29395->29375 29396->29395 29402 2fec8d8 29396->29402 29399 2fecfa0 29398->29399 29400 2fecfe7 29399->29400 29401 2fec8d8 GetModuleHandleW 29399->29401 29400->29375 29401->29400 29403 2fec8dd 29402->29403 29405 2fed8f8 29403->29405 29406 2feca04 29403->29406 29405->29405 29407 2feca0f 29406->29407 29408 2fe5cc4 GetModuleHandleW 29407->29408 29409 2fed967 29408->29409 29409->29405

                                                                                                                                                                              Executed Functions

                                                                                                                                                                              Function 02FEAE30 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 734 2feae30-2feae3f 735 2feae6b-2feae6f 734->735 736 2feae41-2feae4e call 2fe9838 734->736 737 2feae83-2feaec4 735->737 738 2feae71-2feae7b 735->738 741 2feae64 736->741 742 2feae50 736->742 745 2feaec6-2feaece 737->745 746 2feaed1-2feaedf 737->746 738->737 741->735 792 2feae56 call 2feb0c8 742->792 793 2feae56 call 2feb0b8 742->793 745->746 748 2feaf03-2feaf05 746->748 749 2feaee1-2feaee6 746->749 747 2feae5c-2feae5e 747->741 750 2feafa0-2feafb7 747->750 751 2feaf08-2feaf0f 748->751 752 2feaee8-2feaeef call 2fea814 749->752 753 2feaef1 749->753 767 2feafb9-2feb018 750->767 756 2feaf1c-2feaf23 751->756 757 2feaf11-2feaf19 751->757 755 2feaef3-2feaf01 752->755 753->755 755->751 759 2feaf25-2feaf2d 756->759 760 2feaf30-2feaf39 call 2fea824 756->760 757->756 759->760 765 2feaf3b-2feaf43 760->765 766 2feaf46-2feaf4b 760->766 765->766 768 2feaf4d-2feaf54 766->768 769 2feaf69-2feaf76 766->769 785 2feb01a-2feb060 767->785 768->769 771 2feaf56-2feaf66 call 2fea834 call 2fea844 768->771 776 2feaf78-2feaf96 769->776 777 2feaf99-2feaf9f 769->777 771->769 776->777 787 2feb068-2feb093 GetModuleHandleW 785->787 788 2feb062-2feb065 785->788 789 2feb09c-2feb0b0 787->789 790 2feb095-2feb09b 787->790 788->787 790->789 792->747 793->747
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02FEB086
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.3150153794.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_2fe0000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                                              • Opcode ID: f3d41977655f92eda2bab406fb8177a25983d056cdb9be36bdf477709afe39ce
                                                                                                                                                                              • Instruction ID: 2d5e0034c16ebcf05281f2e690d55fb2ba2283eaa948e6dd88f970d3c8b9e02b
                                                                                                                                                                              • Opcode Fuzzy Hash: f3d41977655f92eda2bab406fb8177a25983d056cdb9be36bdf477709afe39ce
                                                                                                                                                                              • Instruction Fuzzy Hash: 577179B0A00B458FDB25DF2AD44075ABBF1FF88744F00892EE58ADBA50DB74E805CB91
                                                                                                                                                                              Function 05760BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 794 5760bfc-57642fc 798 5764302-5764307 794->798 799 57643ac-57643cc call 5760ad4 794->799 801 576435a-5764392 CallWindowProcW 798->801 802 5764309-5764340 798->802 806 57643cf-57643dc 799->806 803 5764394-576439a 801->803 804 576439b-57643aa 801->804 809 5764342-5764348 802->809 810 5764349-5764358 802->810 803->804 804->806 809->810 810->806
                                                                                                                                                                              APIs
                                                                                                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 05764381
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.3152033333.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_5760000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CallProcWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2714655100-0
                                                                                                                                                                              • Opcode ID: 78bc4b1ef0d9bcc354ba7b55e4e88bab6791f7b5d48cacdaff7716d9bbc5be76
                                                                                                                                                                              • Instruction ID: 26eee96583fdddc38d8cc309176a773ddd36f78c0cbb4193c74485f0bef582a9
                                                                                                                                                                              • Opcode Fuzzy Hash: 78bc4b1ef0d9bcc354ba7b55e4e88bab6791f7b5d48cacdaff7716d9bbc5be76
                                                                                                                                                                              • Instruction Fuzzy Hash: 67412CB5900309DFDB14CF96C488AAEBBF6FF88314F248559E519AB321D774A841CFA0
                                                                                                                                                                              Function 02FE4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 812 2fe4248-2fe5a01 CreateActCtxA 815 2fe5a0a-2fe5a64 812->815 816 2fe5a03-2fe5a09 812->816 823 2fe5a66-2fe5a69 815->823 824 2fe5a73-2fe5a77 815->824 816->815 823->824 825 2fe5a88-2fe5ab8 824->825 826 2fe5a79-2fe5a85 824->826 830 2fe5a6a 825->830 831 2fe5aba-2fe5b3c 825->831 826->825 830->824
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 02FE59F1
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.3150153794.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_2fe0000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Create
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                              • Opcode ID: 98eb06418ea8a10490c2d3dc0efd1a43d4bdce642a6fdde255986741f017ce49
                                                                                                                                                                              • Instruction ID: 42b30fcadb1c4383a8679f7bba57fc024f5f2f0d237af88c9ada2b1d97279757
                                                                                                                                                                              • Opcode Fuzzy Hash: 98eb06418ea8a10490c2d3dc0efd1a43d4bdce642a6fdde255986741f017ce49
                                                                                                                                                                              • Instruction Fuzzy Hash: B841EFB0D01719CBEB24CFA9C884B9DBBF5BF48704F60806AD509AB250DB756949CF90
                                                                                                                                                                              Function 02FE5935 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 833 2fe5935-2fe593c 834 2fe5944-2fe5a01 CreateActCtxA 833->834 836 2fe5a0a-2fe5a64 834->836 837 2fe5a03-2fe5a09 834->837 844 2fe5a66-2fe5a69 836->844 845 2fe5a73-2fe5a77 836->845 837->836 844->845 846 2fe5a88-2fe5ab8 845->846 847 2fe5a79-2fe5a85 845->847 851 2fe5a6a 846->851 852 2fe5aba-2fe5b3c 846->852 847->846 851->845
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 02FE59F1
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.3150153794.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_2fe0000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Create
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                              • Opcode ID: f63ec3e220d357a25effc73e422941eada1ccfd1259ba3095c95efd3332d0aaa
                                                                                                                                                                              • Instruction ID: 9e0da10b74aefd2f2b837f71ca5dfef95227528e1dbe1b7b93e525f369e2b92c
                                                                                                                                                                              • Opcode Fuzzy Hash: f63ec3e220d357a25effc73e422941eada1ccfd1259ba3095c95efd3332d0aaa
                                                                                                                                                                              • Instruction Fuzzy Hash: 2A41DFB1D01719CFEB24DFA9C884B9DBBF5BF48704F20806AD409AB251DB75694ACF90
                                                                                                                                                                              Function 02FEC9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 854 2fec9a0-2fed394 DuplicateHandle 857 2fed39d-2fed3ba 854->857 858 2fed396-2fed39c 854->858 858->857
                                                                                                                                                                              APIs
                                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02FED2C6,?,?,?,?,?), ref: 02FED387
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.3150153794.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_2fe0000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                                              • Opcode ID: b019a6f94fa2056be515fcf4cd720b4510a8d2cdb136e9272ccf7019381b5a31
                                                                                                                                                                              • Instruction ID: 20e273874e20cc816a4a86f4af0d2f84522db914f7cc5af49f81ee0a0c0819d1
                                                                                                                                                                              • Opcode Fuzzy Hash: b019a6f94fa2056be515fcf4cd720b4510a8d2cdb136e9272ccf7019381b5a31
                                                                                                                                                                              • Instruction Fuzzy Hash: 072103B5D00208DFDB10CFAAD984ADEBBF9EB48310F10801AE919A3350C374A940CFA4
                                                                                                                                                                              Function 02FED2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 861 2fed2f9-2fed2fe 862 2fed305-2fed394 DuplicateHandle 861->862 863 2fed300-2fed304 861->863 864 2fed39d-2fed3ba 862->864 865 2fed396-2fed39c 862->865 863->862 865->864
                                                                                                                                                                              APIs
                                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02FED2C6,?,?,?,?,?), ref: 02FED387
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.3150153794.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_2fe0000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                                              • Opcode ID: 6fed431dc888e36cc1a59f82f58c09f7e7d3fd537a1a9a083e8c4f3fb1618f95
                                                                                                                                                                              • Instruction ID: d15d58b5b1f95e69b88a9e80ab8cd96f48a2ecfff91190e3e4e3ab69b1034d74
                                                                                                                                                                              • Opcode Fuzzy Hash: 6fed431dc888e36cc1a59f82f58c09f7e7d3fd537a1a9a083e8c4f3fb1618f95
                                                                                                                                                                              • Instruction Fuzzy Hash: E72114B5D002099FDF11CFAAD984ADEBBF9FB48314F10801AE918A3350D374A940CFA4
                                                                                                                                                                              Function 02FEB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 868 2feb020-2feb060 869 2feb068-2feb093 GetModuleHandleW 868->869 870 2feb062-2feb065 868->870 871 2feb09c-2feb0b0 869->871 872 2feb095-2feb09b 869->872 870->869 872->871
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02FEB086
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.3150153794.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_2fe0000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                                              • Opcode ID: e1c55d4ca6b8aaa9ba5dcbbd4ac37d11db0c552b0e428896415a6fab9d12141b
                                                                                                                                                                              • Instruction ID: 9ffa6b306d90a46f8953a9fa5fbeaebcca05d7bca333a8d312fd4dac4816561d
                                                                                                                                                                              • Opcode Fuzzy Hash: e1c55d4ca6b8aaa9ba5dcbbd4ac37d11db0c552b0e428896415a6fab9d12141b
                                                                                                                                                                              • Instruction Fuzzy Hash: E3110FB6C003498FCB21CFAAC444ADEFBF4BB88614F10842AD969A7610C379A545CFA5
                                                                                                                                                                              Function 0145D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.3149388265.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_145d000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 124c79207275c31d00fb01b9b601ee477642d981590b0d2c49a942a28652c870
                                                                                                                                                                              • Instruction ID: a994c500ab5c4fd076e8cd1f6e1ab8d40ef8b6ae4417c56250e51cd247cb7da8
                                                                                                                                                                              • Opcode Fuzzy Hash: 124c79207275c31d00fb01b9b601ee477642d981590b0d2c49a942a28652c870
                                                                                                                                                                              • Instruction Fuzzy Hash: 14210271900200DFDB15DF54D9C0B56BFA5FF84314F20C16AED090B267C336E446CAA2
                                                                                                                                                                              Function 017AD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.3149936294.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_17ad000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 97ab704bbae565b7bf6ccbd54a7e6b5d09c17161554a92033aaf33a5164eb84d
                                                                                                                                                                              • Instruction ID: b58f078bfd18b8617cb096c00808ce6c9f2c13f0635a7b1e22c6aff649c1f465
                                                                                                                                                                              • Opcode Fuzzy Hash: 97ab704bbae565b7bf6ccbd54a7e6b5d09c17161554a92033aaf33a5164eb84d
                                                                                                                                                                              • Instruction Fuzzy Hash: 4A210071644200EFDB25DFA4D9C4B17FBA1EB88314F60C6ADE80A4B692C336D447CA62
                                                                                                                                                                              Function 0145D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.3149388265.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_145d000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                                                                                                                                              • Instruction ID: 32460837f30057edd846836fbe7c52cbc44919aedeca820d42ff73f2a6f8de2d
                                                                                                                                                                              • Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                                                                                                                                              • Instruction Fuzzy Hash: C211AC72804240CFDB16CF54D9C4B56BF62FB84224F2486AADD090A667C33AE456CBA1
                                                                                                                                                                              Function 017AD017 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.3149936294.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_17ad000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                                                                                                                                              • Instruction ID: 04897cffa99ef2a3854e280b5d5c51f200e84b0873fea6494cfbf332ee12a961
                                                                                                                                                                              • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                                                                                                                                              • Instruction Fuzzy Hash: A811BB75544280CFCB22CF54D5C4B16FBA2FB88314F24C6AAD8494BA56C33AD40ACBA2
                                                                                                                                                                              Function 0145D5F3 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.3149388265.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_145d000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: db1be8a040d5a064ff0dcff4bd3057504f6c7a3861904bbc00d5dbba3f5b6525
                                                                                                                                                                              • Instruction ID: 30502b96269a86825cbd0f64f7f0cd2dca4b2a35729b70ff91051d7741d1138b
                                                                                                                                                                              • Opcode Fuzzy Hash: db1be8a040d5a064ff0dcff4bd3057504f6c7a3861904bbc00d5dbba3f5b6525
                                                                                                                                                                              • Instruction Fuzzy Hash: 02F0E776600604AF97208F0AD984C27FBA9EFD4670719C55AEC5A4B726C671EC42CAB0
                                                                                                                                                                              Function 0145D5E4 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.3149388265.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_145d000_shaLnqmyTS.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 0de88eb7c9eb888e4e4dff81b03e715df63e581f2eae0b8904c6a2507df548dc
                                                                                                                                                                              • Instruction ID: fc55d59204a68d11a5d7f15ef75e9f1f78f5080ac4917ea03ec3e675800a4ee8
                                                                                                                                                                              • Opcode Fuzzy Hash: 0de88eb7c9eb888e4e4dff81b03e715df63e581f2eae0b8904c6a2507df548dc
                                                                                                                                                                              • Instruction Fuzzy Hash: C4F03C75104680AFD725CF15C994C63BFB9EF896607198489EC9A4B362C671FC42CB70