Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5tCuNr661k.exe

Overview

General Information

Sample name:5tCuNr661k.exe
renamed because original name is a hash value
Original sample name:309621355c48f1d8b77d4df0cfb99a32dbd0ab78f234b6c12934d9f3a1503af8.exe
Analysis ID:1588744
MD5:12dea314db7aa2b97f2c43a4081d4f66
SHA1:67c73c5207f877ca7a075f38ff32acb4129ecf17
SHA256:309621355c48f1d8b77d4df0cfb99a32dbd0ab78f234b6c12934d9f3a1503af8
Tags:exeRedLineStealeruser-adrian__luca
Infos:

Detection

RedLine
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 5tCuNr661k.exe (PID: 2700 cmdline: "C:\Users\user\Desktop\5tCuNr661k.exe" MD5: 12DEA314DB7AA2B97F2C43A4081D4F66)
    • 5tCuNr661k.exe (PID: 1048 cmdline: "C:\Users\user\Desktop\5tCuNr661k.exe" MD5: 12DEA314DB7AA2B97F2C43A4081D4F66)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["87.120.120.86:1912"], "Bot Id": "LOGS", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1380024284.0000000004BA4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000003.00000002.2609693262.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.1380024284.0000000004BEF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.1380024284.0000000004801000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Process Memory Space: 5tCuNr661k.exe PID: 2700JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.5tCuNr661k.exe.4bbb800.2.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.2.5tCuNr661k.exe.4bbb800.2.raw.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
              • 0x24cc3:$gen01: ChromeGetRoamingName
              • 0x24ce8:$gen02: ChromeGetLocalName
              • 0x24d2b:$gen03: get_UserDomainName
              • 0x28bc4:$gen04: get_encrypted_key
              • 0x27943:$gen05: browserPaths
              • 0x27c19:$gen06: GetBrowsers
              • 0x27501:$gen07: get_InstalledInputLanguages
              • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
              • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
              • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
              • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
              • 0x296be:$spe9: *wallet*
              • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
              • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
              • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
              • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
              • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
              • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
              • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
              • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
              0.2.5tCuNr661k.exe.4b705e0.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.5tCuNr661k.exe.4b705e0.1.raw.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
                • 0x24cc3:$gen01: ChromeGetRoamingName
                • 0x24ce8:$gen02: ChromeGetLocalName
                • 0x24d2b:$gen03: get_UserDomainName
                • 0x28bc4:$gen04: get_encrypted_key
                • 0x27943:$gen05: browserPaths
                • 0x27c19:$gen06: GetBrowsers
                • 0x27501:$gen07: get_InstalledInputLanguages
                • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
                • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
                • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
                • 0x296be:$spe9: *wallet*
                • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
                • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
                • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
                • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
                • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
                • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
                • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
                • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
                0.2.5tCuNr661k.exe.4b705e0.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 9 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000000.00000002.1380024284.0000000004BA4000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": ["87.120.120.86:1912"], "Bot Id": "LOGS", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                  Multi AV Scanner detection for submitted file
                  Source: 5tCuNr661k.exeVirustotal: Detection: 71%Perma Link
                  Source: 5tCuNr661k.exeReversingLabs: Detection: 60%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: 5tCuNr661k.exeJoe Sandbox ML: detected
                  Source: 5tCuNr661k.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 5tCuNr661k.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: 5tCuNr661k.exe, 00000003.00000002.2610674164.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: 5tCuNr661k.exe, 00000003.00000002.2610674164.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb5 source: 5tCuNr661k.exe, 00000003.00000002.2610674164.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: em.ServiceModel.pdb source: 5tCuNr661k.exe, 00000003.00000002.2610674164.0000000000E93000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb< source: 5tCuNr661k.exe, 00000003.00000002.2610674164.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: 5tCuNr661k.exe, 00000003.00000002.2610674164.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: 5tCuNr661k.exe, 00000003.00000002.2610674164.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: em.ServiceModel.pdb$! source: 5tCuNr661k.exe, 00000003.00000002.2610674164.0000000000E93000.00000004.00000020.00020000.00000000.sdmp

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 87.120.120.86:1912
                  Source: global trafficTCP traffic: 192.168.2.9:49756 -> 87.120.120.86:1912
                  Source: Joe Sandbox ViewIP Address: 87.120.120.86 87.120.120.86
                  Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: 5tCuNr661k.exe, 00000000.00000002.1376910425.0000000002FC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://localhost/arkanoid_server/requests.php
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9LR
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/x
                  Source: 5tCuNr661k.exe, 00000000.00000002.1380024284.0000000004BA4000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000000.00000002.1380024284.0000000004BEF000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000000.00000002.1380024284.0000000004801000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2609693262.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.5tCuNr661k.exe.4bbb800.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.5tCuNr661k.exe.4b705e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.5tCuNr661k.exe.4b705e0.1.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.5tCuNr661k.exe.4bbb800.2.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 3.2.5tCuNr661k.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.5tCuNr661k.exe.4ae0fc0.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.5tCuNr661k.exe.4a519a0.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C22C80_2_014C22C8
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C74080_2_014C7408
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014CA54B0_2_014CA54B
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C094A0_2_014C094A
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C097E0_2_014C097E
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C09DF0_2_014C09DF
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C09AB0_2_014C09AB
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C08CE0_2_014C08CE
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C08FF0_2_014C08FF
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C0B1B0_2_014C0B1B
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C0BD30_2_014C0BD3
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C0B9F0_2_014C0B9F
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C2BA80_2_014C2BA8
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C2BB80_2_014C2BB8
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C0A0C0_2_014C0A0C
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C0A850_2_014C0A85
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C0D670_2_014C0D67
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C0CCD0_2_014C0CCD
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C0C990_2_014C0C99
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C0E040_2_014C0E04
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C0EAB0_2_014C0EAB
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C31670_2_014C3167
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C309D0_2_014C309D
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C35F00_2_014C35F0
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C37190_2_014C3719
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C36000_2_014C3600
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C1B4B0_2_014C1B4B
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C1BA30_2_014C1BA3
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C1A450_2_014C1A45
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C1A710_2_014C1A71
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C1C450_2_014C1C45
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C1FE90_2_014C1FE9
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C1FFE0_2_014C1FFE
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C1E0A0_2_014C1E0A
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_014C1EFA0_2_014C1EFA
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_053C9AA00_2_053C9AA0
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_053CE9300_2_053CE930
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_053CE9210_2_053CE921
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_053C12C40_2_053C12C4
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_053C38E00_2_053C38E0
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_053C38D00_2_053C38D0
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_053C9A900_2_053C9A90
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_097FC8380_2_097FC838
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_097FE4B80_2_097FE4B8
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_097FAEC00_2_097FAEC0
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 3_2_00DB25D83_2_00DB25D8
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 3_2_00DBDC743_2_00DBDC74
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 3_2_04F6EE583_2_04F6EE58
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 3_2_04F688503_2_04F68850
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 3_2_04F600403_2_04F60040
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 3_2_04F600073_2_04F60007
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 3_2_04F688403_2_04F68840
                  Source: 5tCuNr661k.exe, 00000000.00000002.1375714013.000000000124E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exe, 00000000.00000002.1380024284.0000000004C3A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exe, 00000000.00000002.1380024284.00000000047C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exe, 00000000.00000002.1380024284.0000000004BA4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exe, 00000000.00000002.1390445470.0000000007DB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exe, 00000000.00000002.1391179683.0000000009B00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exe, 00000000.00000000.1364540386.0000000000AE8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamekKCN.exe0 vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exe, 00000000.00000002.1380024284.0000000004BEF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exe, 00000000.00000002.1376910425.0000000002FC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exe, 00000000.00000002.1380024284.0000000004801000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exe, 00000003.00000002.2609693262.0000000000446000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exeBinary or memory string: OriginalFilenamekKCN.exe0 vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.5tCuNr661k.exe.4bbb800.2.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.5tCuNr661k.exe.4b705e0.1.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.5tCuNr661k.exe.4b705e0.1.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.5tCuNr661k.exe.4bbb800.2.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 3.2.5tCuNr661k.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.5tCuNr661k.exe.4ae0fc0.3.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.5tCuNr661k.exe.4a519a0.0.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 5tCuNr661k.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal96.troj.evad.winEXE@3/1@0/1
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5tCuNr661k.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMutant created: NULL
                  Source: 5tCuNr661k.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 5tCuNr661k.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 5tCuNr661k.exeVirustotal: Detection: 71%
                  Source: 5tCuNr661k.exeReversingLabs: Detection: 60%
                  Source: unknownProcess created: C:\Users\user\Desktop\5tCuNr661k.exe "C:\Users\user\Desktop\5tCuNr661k.exe"
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess created: C:\Users\user\Desktop\5tCuNr661k.exe "C:\Users\user\Desktop\5tCuNr661k.exe"
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess created: C:\Users\user\Desktop\5tCuNr661k.exe "C:\Users\user\Desktop\5tCuNr661k.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: iconcodecservice.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: 5tCuNr661k.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 5tCuNr661k.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: 5tCuNr661k.exe, 00000003.00000002.2610674164.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: 5tCuNr661k.exe, 00000003.00000002.2610674164.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb5 source: 5tCuNr661k.exe, 00000003.00000002.2610674164.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: em.ServiceModel.pdb source: 5tCuNr661k.exe, 00000003.00000002.2610674164.0000000000E93000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb< source: 5tCuNr661k.exe, 00000003.00000002.2610674164.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: 5tCuNr661k.exe, 00000003.00000002.2610674164.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: 5tCuNr661k.exe, 00000003.00000002.2610674164.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: em.ServiceModel.pdb$! source: 5tCuNr661k.exe, 00000003.00000002.2610674164.0000000000E93000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_097F89E3 push edx; iretd 0_2_097F89E4
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_097F8AD2 push 0000003Dh; iretd 0_2_097F8AD4
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_097FB1E8 push ss; iretd 0_2_097FB1EA
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_097FB1D1 push ss; iretd 0_2_097FB1D2
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_097F402C push esp; retf 0_2_097F402D
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_097FB205 push ss; iretd 0_2_097FB207
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_097F85AB push esi; iretd 0_2_097F85AC
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 3_2_04F6D442 push eax; ret 3_2_04F6D451
                  Source: 5tCuNr661k.exeStatic PE information: section name: .text entropy: 7.784152143328839
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: 5tCuNr661k.exe PID: 2700, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: 1480000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: 2FC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: 2E00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: 5500000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: 6500000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: 6630000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: 7630000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: A1D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: B1D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: B660000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: C660000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: CF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: 2A30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: 2960000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exe TID: 2136Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: 5tCuNr661k.exe, 00000003.00000002.2610674164.0000000000E93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory written: C:\Users\user\Desktop\5tCuNr661k.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess created: C:\Users\user\Desktop\5tCuNr661k.exe "C:\Users\user\Desktop\5tCuNr661k.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Users\user\Desktop\5tCuNr661k.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Users\user\Desktop\5tCuNr661k.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.4bbb800.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.4b705e0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.4b705e0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.4bbb800.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.5tCuNr661k.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.4ae0fc0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.4a519a0.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1380024284.0000000004BA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2609693262.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1380024284.0000000004BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1380024284.0000000004801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 5tCuNr661k.exe PID: 2700, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 5tCuNr661k.exe PID: 1048, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.4bbb800.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.4b705e0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.4b705e0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.4bbb800.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.5tCuNr661k.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.4ae0fc0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.4a519a0.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1380024284.0000000004BA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2609693262.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1380024284.0000000004BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1380024284.0000000004801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 5tCuNr661k.exe PID: 2700, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 5tCuNr661k.exe PID: 1048, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                  DLL Side-Loading                  		111
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping1
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		LSASS Memory31
                  Virtualization/Sandbox Evasion                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                  Virtualization/Sandbox Evasion                  		Security Account Manager12
                  System Information Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                  Process Injection                  		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                  Obfuscated Files or Information                  		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Software Packing                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  5tCuNr661k.exe71%VirustotalBrowse
                  5tCuNr661k.exe61%ReversingLabsWin32.Trojan.Jalapeno
                  5tCuNr661k.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  87.120.120.86:1912false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://tempuri.org/Entity/Id10Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://tempuri.org/Entity/Id24LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://tempuri.org/Entity/Id8Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id22LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id20LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id12Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/soap/envelope/5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id2Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id21Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id19LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id23Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id17LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id15LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id9LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id19Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id13LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id7LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://tempuri.org/Entity/Id11LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/fault5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id17Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/Entity/Id1LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id5LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id20Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id3LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id15Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id13Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id4Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id6Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://api.ip.sb/ip5tCuNr661k.exe, 00000000.00000002.1380024284.0000000004BA4000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000000.00000002.1380024284.0000000004BEF000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000000.00000002.1380024284.0000000004801000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2609693262.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id23LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id7Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id21LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/x5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/Entity/Id11Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Entity/Id9Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://tempuri.org/Entity/Id22Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id24Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id1Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id18LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id16LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id8LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id14LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id6LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id18Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id12LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://tempuri.org/Entity/Id10LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id4LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://tempuri.org/Entity/Id2LR5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rmX5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://tempuri.org/Entity/Id3Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://localhost/arkanoid_server/requests.php5tCuNr661k.exe, 00000000.00000002.1376910425.0000000002FC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://tempuri.org/Entity/Id16Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://tempuri.org/Entity/Id5Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/soap/actor/next5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://tempuri.org/Entity/Id14Response5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000003.00000002.2611336535.0000000002B93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high

                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                        Public IPs

                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                        87.120.120.86
                                                                                                                                                        		unknownBulgaria
                                                                                                                                                        		25206UNACS-AS-BG8000BurgasBGtrue

                                                                                                                                                        General Information

                                                                                                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                        Analysis ID:1588744
                                                                                                                                                        Start date and time:2025-01-11 04:56:12 +01:00
                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                        Overall analysis duration:0h 5m 1s
                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                        Report type:full
                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                        Number of analysed new started processes analysed:8
                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                        Technologies:
                                                                                                                                                        • HCA enabled
                                                                                                                                                        • EGA enabled
                                                                                                                                                        • AMSI enabled
                                                                                                                                                        Analysis Mode:default
                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                        Sample name:5tCuNr661k.exe
                                                                                                                                                        renamed because original name is a hash value
                                                                                                                                                        Original Sample Name:309621355c48f1d8b77d4df0cfb99a32dbd0ab78f234b6c12934d9f3a1503af8.exe
                                                                                                                                                        Detection:MAL
                                                                                                                                                        Classification:mal96.troj.evad.winEXE@3/1@0/1
                                                                                                                                                        EGA Information:
                                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                                        HCA Information:
                                                                                                                                                        • Successful, ratio: 95%
                                                                                                                                                        • Number of executed functions: 74
                                                                                                                                                        • Number of non-executed functions: 13
                                                                                                                                                        Cookbook Comments:
                                                                                                                                                        • Found application associated with file extension: .exe

                                                                                                                                                        Warnings

                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 13.107.246.45, 2.23.242.162, 4.175.87.197
                                                                                                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                        Simulations

                                                                                                                                                        Behavior and APIs

                                                                                                                                                        TimeTypeDescription
                                                                                                                                                        22:57:06API Interceptor1x Sleep call for process: 5tCuNr661k.exe modified

                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                        IPs

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        87.120.120.86shaLnqmyTS.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                          shaLnqmyTS.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                            zAGUEDGSTM.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                              C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                  VmoLw6EKj5.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                    Xf3rn1smZw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                      2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                        2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                          17.12.2024 ________.exeGet hashmaliciousRedLineBrowse

                                                                                                                                                                            Domains

                                                                                                                                                                            No context

                                                                                                                                                                            ASNs

                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                            UNACS-AS-BG8000BurgasBGshaLnqmyTS.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                            • 87.120.120.86
                                                                                                                                                                            shaLnqmyTS.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                            • 87.120.120.86
                                                                                                                                                                            zAGUEDGSTM.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                            • 87.120.120.86
                                                                                                                                                                            WtZl31OLfA.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                            • 87.120.116.187
                                                                                                                                                                            C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                            • 87.120.120.86
                                                                                                                                                                            C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                            • 87.120.120.86
                                                                                                                                                                            2XnMqJW0u1.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                            • 87.120.120.15
                                                                                                                                                                            VmoLw6EKj5.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                            • 87.120.120.86
                                                                                                                                                                            QwMcsmYcxv.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                                                                                                                                            • 87.120.120.15
                                                                                                                                                                            QwMcsmYcxv.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                                                                                                                                            • 87.120.120.15

                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                            No context

                                                                                                                                                                            Dropped Files

                                                                                                                                                                            No context

                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5tCuNr661k.exe.log

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\5tCuNr661k.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1216
                                                                                                                                                                            Entropy (8bit):5.34331486778365
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                            Static File Info

                                                                                                                                                                            General

                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Entropy (8bit):7.630688730462622
                                                                                                                                                                            TrID:
                                                                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                            File name:5tCuNr661k.exe
                                                                                                                                                                            File size:877'568 bytes
                                                                                                                                                                            MD5:12dea314db7aa2b97f2c43a4081d4f66
                                                                                                                                                                            SHA1:67c73c5207f877ca7a075f38ff32acb4129ecf17
                                                                                                                                                                            SHA256:309621355c48f1d8b77d4df0cfb99a32dbd0ab78f234b6c12934d9f3a1503af8
                                                                                                                                                                            SHA512:9c9dd9b9011739ce1159e302690dc522110d5fe33b671074aa1193b9cc7576abc9d4017ff49adf2c473d8e52582395f0b3a9f2db65e026e0e021c8067facabdc
                                                                                                                                                                            SSDEEP:24576:3fIeejFpYqPMy5lp8/EZWmBCfpAJ7WXYsstJ:PBejFp/0iwReChA1WXCf
                                                                                                                                                                            TLSH:BC15F198B600F48FC843C6318E69EC7466506DEED207930B65D73EAFF96EA538D16093
                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ng..............0..P...........o... ........@.. ....................................@................................

                                                                                                                                                                            File Icon

                                                                                                                                                                            Icon Hash:4b66a4ecc5ce527b

                                                                                                                                                                            Static PE Info

                                                                                                                                                                            General

                                                                                                                                                                            Entrypoint:0x4c6f2e
                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                            Time Stamp:0x674EADCB [Tue Dec 3 07:05:47 2024 UTC]
                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                            OS Version Major:4
                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                            File Version Major:4
                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                            Subsystem Version Major:4
                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                            Instruction
                                                                                                                                                                            jmp dword ptr [00402000h]
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al

                                                                                                                                                                            Data Directories

                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xc6ed40x57.text
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x10e18.rsrc
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xda0000xc.reloc
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                            Sections

                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                            .text0x20000xc4f340xc5000f11c7a9b86e5243671e47fb6141ada0fFalse0.9096890367227157data7.784152143328839IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .rsrc0xc80000x10e180x11000322916f6508e625b6efcc1faccf298baFalse0.2195111443014706data4.328310135772269IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .reloc0xda0000xc0x20052821257853a5c24cd2290f100afe99aFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                            Resources

                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                            RT_ICON0xc81600x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m0.21470188098899798
                                                                                                                                                                            RT_GROUP_ICON0xd89880x14data1.0
                                                                                                                                                                            RT_GROUP_ICON0xd899c0x14data1.05
                                                                                                                                                                            RT_VERSION0xd89b00x278data0.4699367088607595
                                                                                                                                                                            RT_MANIFEST0xd8c280x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                            Imports

                                                                                                                                                                            DLLImport
                                                                                                                                                                            mscoree.dll_CorExeMain

                                                                                                                                                                            Network Behavior

                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                            TCP Packets

                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                            Jan 11, 2025 04:57:09.552530050 CET497561912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:57:09.557527065 CET19124975687.120.120.86192.168.2.9
                                                                                                                                                                            Jan 11, 2025 04:57:09.557693005 CET497561912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:57:09.570497036 CET497561912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:57:09.575388908 CET19124975687.120.120.86192.168.2.9
                                                                                                                                                                            Jan 11, 2025 04:57:30.912101984 CET19124975687.120.120.86192.168.2.9
                                                                                                                                                                            Jan 11, 2025 04:57:30.912190914 CET497561912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:57:30.935189962 CET497561912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:57:35.957926035 CET499241912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:57:35.962800026 CET19124992487.120.120.86192.168.2.9
                                                                                                                                                                            Jan 11, 2025 04:57:35.962867022 CET499241912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:57:35.963116884 CET499241912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:57:35.967895031 CET19124992487.120.120.86192.168.2.9
                                                                                                                                                                            Jan 11, 2025 04:57:57.340006113 CET19124992487.120.120.86192.168.2.9
                                                                                                                                                                            Jan 11, 2025 04:57:57.340117931 CET499241912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:57:57.340383053 CET499241912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:58:02.407208920 CET499801912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:58:02.412307978 CET19124998087.120.120.86192.168.2.9
                                                                                                                                                                            Jan 11, 2025 04:58:02.414978981 CET499801912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:58:02.415208101 CET499801912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:58:02.419966936 CET19124998087.120.120.86192.168.2.9
                                                                                                                                                                            Jan 11, 2025 04:58:23.773108959 CET19124998087.120.120.86192.168.2.9
                                                                                                                                                                            Jan 11, 2025 04:58:23.773334026 CET499801912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:58:23.774255037 CET499801912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:58:28.785316944 CET499811912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:58:28.790231943 CET19124998187.120.120.86192.168.2.9
                                                                                                                                                                            Jan 11, 2025 04:58:28.790321112 CET499811912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:58:28.790657997 CET499811912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:58:28.795547962 CET19124998187.120.120.86192.168.2.9
                                                                                                                                                                            Jan 11, 2025 04:58:50.166528940 CET19124998187.120.120.86192.168.2.9
                                                                                                                                                                            Jan 11, 2025 04:58:50.169106007 CET499811912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:58:50.169229984 CET499811912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:58:55.175848961 CET499821912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:58:55.180656910 CET19124998287.120.120.86192.168.2.9
                                                                                                                                                                            Jan 11, 2025 04:58:55.180792093 CET499821912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:58:55.181050062 CET499821912192.168.2.987.120.120.86
                                                                                                                                                                            Jan 11, 2025 04:58:55.185864925 CET19124998287.120.120.86192.168.2.9

                                                                                                                                                                            Statistics

                                                                                                                                                                            CPU Usage

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            Memory Usage

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                            Behavior

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            System Behavior

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:0
                                                                                                                                                                            Start time:22:57:06
                                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                                            Path:C:\Users\user\Desktop\5tCuNr661k.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\5tCuNr661k.exe"
                                                                                                                                                                            Imagebase:0xa20000
                                                                                                                                                                            File size:877'568 bytes
                                                                                                                                                                            MD5 hash:12DEA314DB7AA2B97F2C43A4081D4F66
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1380024284.0000000004BA4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1380024284.0000000004BEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1380024284.0000000004801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:3
                                                                                                                                                                            Start time:22:57:07
                                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                                            Path:C:\Users\user\Desktop\5tCuNr661k.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\5tCuNr661k.exe"
                                                                                                                                                                            Imagebase:0x5f0000
                                                                                                                                                                            File size:877'568 bytes
                                                                                                                                                                            MD5 hash:12DEA314DB7AA2B97F2C43A4081D4F66
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2609693262.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Has exited:false

                                                                                                                                                                            Disassembly

                                                                                                                                                                            Reset < >

                                                                                                                                                                              Execution Graph

                                                                                                                                                                              Execution Coverage:11.2%
                                                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                              Signature Coverage:3%
                                                                                                                                                                              Total number of Nodes:297
                                                                                                                                                                              Total number of Limit Nodes:20
                                                                                                                                                                              execution_graph 33378 10ed01c 33379 10ed034 33378->33379 33380 10ed08e 33379->33380 33386 53c5348 33379->33386 33390 53c5030 33379->33390 33395 53c3024 33379->33395 33404 53c5399 33379->33404 33408 53c60a8 33379->33408 33387 53c536e 33386->33387 33388 53c3024 CallWindowProcW 33387->33388 33389 53c538f 33388->33389 33389->33380 33391 53c5312 33390->33391 33392 53c3024 CallWindowProcW 33391->33392 33393 53c5319 33391->33393 33394 53c538f 33392->33394 33393->33380 33394->33380 33396 53c302f 33395->33396 33397 53c6119 33396->33397 33399 53c6109 33396->33399 33400 53c6117 33397->33400 33433 53c314c 33397->33433 33417 53c630c 33399->33417 33423 53c6233 33399->33423 33428 53c6240 33399->33428 33405 53c5377 33404->33405 33406 53c538f 33405->33406 33407 53c3024 CallWindowProcW 33405->33407 33406->33380 33407->33406 33410 53c60b8 33408->33410 33409 53c6119 33411 53c314c CallWindowProcW 33409->33411 33413 53c6117 33409->33413 33410->33409 33412 53c6109 33410->33412 33411->33413 33414 53c630c CallWindowProcW 33412->33414 33415 53c6240 CallWindowProcW 33412->33415 33416 53c6233 CallWindowProcW 33412->33416 33414->33413 33415->33413 33416->33413 33418 53c62ca 33417->33418 33419 53c631a 33417->33419 33437 53c62f8 33418->33437 33440 53c62e7 33418->33440 33420 53c62e0 33420->33400 33425 53c6240 33423->33425 33424 53c62e0 33424->33400 33426 53c62f8 CallWindowProcW 33425->33426 33427 53c62e7 CallWindowProcW 33425->33427 33426->33424 33427->33424 33430 53c6254 33428->33430 33429 53c62e0 33429->33400 33431 53c62f8 CallWindowProcW 33430->33431 33432 53c62e7 CallWindowProcW 33430->33432 33431->33429 33432->33429 33434 53c3157 33433->33434 33435 53c77fa CallWindowProcW 33434->33435 33436 53c77a9 33434->33436 33435->33436 33436->33400 33438 53c6309 33437->33438 33443 53c7732 33437->33443 33438->33420 33441 53c6309 33440->33441 33442 53c7732 CallWindowProcW 33440->33442 33441->33420 33442->33441 33444 53c314c CallWindowProcW 33443->33444 33445 53c774a 33444->33445 33445->33438 33446 53c5928 33447 53c593c 33446->33447 33449 53c5958 33447->33449 33450 53c0910 33447->33450 33451 53c0920 33450->33451 33452 53c093d 33451->33452 33455 53c09b0 33451->33455 33467 53c09c0 33451->33467 33452->33449 33456 53c0a06 GetCurrentProcess 33455->33456 33458 53c0a58 GetCurrentThread 33456->33458 33459 53c0a51 33456->33459 33460 53c0a8e 33458->33460 33461 53c0a95 GetCurrentProcess 33458->33461 33459->33458 33460->33461 33462 53c0acb 33461->33462 33465 53c0f70 33462->33465 33479 53c0b90 33462->33479 33463 53c0af3 GetCurrentThreadId 33464 53c0b24 33463->33464 33464->33452 33465->33463 33468 53c0a06 GetCurrentProcess 33467->33468 33470 53c0a58 GetCurrentThread 33468->33470 33472 53c0a51 33468->33472 33471 53c0a95 GetCurrentProcess 33470->33471 33474 53c0a8e 33470->33474 33473 53c0acb 33471->33473 33472->33470 33477 53c0f70 33473->33477 33478 53c0b90 2 API calls 33473->33478 33474->33471 33475 53c0af3 GetCurrentThreadId 33476 53c0b24 33475->33476 33476->33452 33477->33475 33478->33475 33483 53c0c08 DuplicateHandle 33479->33483 33485 53c0c00 DuplicateHandle 33479->33485 33480 53c0bce 33480->33463 33484 53c0c9e 33483->33484 33484->33480 33486 53c0c9e 33485->33486 33486->33480 33487 14ce798 33488 14ce7da 33487->33488 33489 14ce7e0 GetModuleHandleW 33487->33489 33488->33489 33490 14ce80d 33489->33490 33203 97fbbf9 33208 97fc509 33203->33208 33223 97fc576 33203->33223 33240 97fc518 33203->33240 33204 97fbc1e 33209 97fc518 33208->33209 33255 97fccb9 33209->33255 33260 97fcada 33209->33260 33265 97fc99c 33209->33265 33270 97fcb9d 33209->33270 33274 97fcaee 33209->33274 33279 97fcb3e 33209->33279 33288 97fcc32 33209->33288 33293 97fcc45 33209->33293 33298 97fcce7 33209->33298 33303 97fcb58 33209->33303 33308 97fc838 33209->33308 33314 97fca38 33209->33314 33210 97fc556 33210->33204 33225 97fc504 33223->33225 33227 97fc579 33223->33227 33224 97fc506 33224->33204 33225->33224 33228 97fcb3e 4 API calls 33225->33228 33229 97fcaee 2 API calls 33225->33229 33230 97fcb9d 2 API calls 33225->33230 33231 97fc99c 2 API calls 33225->33231 33232 97fcada 2 API calls 33225->33232 33233 97fccb9 2 API calls 33225->33233 33234 97fca38 4 API calls 33225->33234 33235 97fc838 2 API calls 33225->33235 33236 97fcb58 2 API calls 33225->33236 33237 97fcce7 2 API calls 33225->33237 33238 97fcc45 2 API calls 33225->33238 33239 97fcc32 2 API calls 33225->33239 33226 97fc556 33226->33204 33227->33204 33228->33226 33229->33226 33230->33226 33231->33226 33232->33226 33233->33226 33234->33226 33235->33226 33236->33226 33237->33226 33238->33226 33239->33226 33241 97fc532 33240->33241 33243 97fcb3e 4 API calls 33241->33243 33244 97fcaee 2 API calls 33241->33244 33245 97fcb9d 2 API calls 33241->33245 33246 97fc99c 2 API calls 33241->33246 33247 97fcada 2 API calls 33241->33247 33248 97fccb9 2 API calls 33241->33248 33249 97fca38 4 API calls 33241->33249 33250 97fc838 2 API calls 33241->33250 33251 97fcb58 2 API calls 33241->33251 33252 97fcce7 2 API calls 33241->33252 33253 97fcc45 2 API calls 33241->33253 33254 97fcc32 2 API calls 33241->33254 33242 97fc556 33242->33204 33243->33242 33244->33242 33245->33242 33246->33242 33247->33242 33248->33242 33249->33242 33250->33242 33251->33242 33252->33242 33253->33242 33254->33242 33256 97fcc55 33255->33256 33323 97fb3c8 33256->33323 33327 97fb3d0 33256->33327 33257 97fd3b8 33261 97fcae7 33260->33261 33331 97fb490 33261->33331 33335 97fb488 33261->33335 33262 97fd1e8 33266 97fc917 33265->33266 33339 97fb70e 33266->33339 33343 97fb718 33266->33343 33272 97fb488 WriteProcessMemory 33270->33272 33273 97fb490 WriteProcessMemory 33270->33273 33271 97fcbc4 33271->33210 33272->33271 33273->33271 33275 97fcb09 33274->33275 33277 97fb3c8 VirtualAllocEx 33275->33277 33278 97fb3d0 VirtualAllocEx 33275->33278 33276 97fd3b8 33277->33276 33278->33276 33280 97fcb76 33279->33280 33283 97fca41 33279->33283 33286 97fb3c8 VirtualAllocEx 33280->33286 33287 97fb3d0 VirtualAllocEx 33280->33287 33281 97fd3b8 33282 97fd408 33283->33279 33283->33280 33283->33282 33347 97fb57a 33283->33347 33351 97fb580 33283->33351 33286->33281 33287->33281 33289 97fd163 33288->33289 33355 97fb2f8 33289->33355 33359 97fb2f2 33289->33359 33290 97fd17e 33294 97fcc55 33293->33294 33296 97fb3c8 VirtualAllocEx 33294->33296 33297 97fb3d0 VirtualAllocEx 33294->33297 33295 97fd3b8 33296->33295 33297->33295 33300 97fca89 33298->33300 33299 97fd41b 33299->33210 33300->33299 33363 97fa9d8 33300->33363 33367 97fa9d0 33300->33367 33304 97fcb5e 33303->33304 33306 97fb3c8 VirtualAllocEx 33304->33306 33307 97fb3d0 VirtualAllocEx 33304->33307 33305 97fd3b8 33306->33305 33307->33305 33310 97fc86b 33308->33310 33309 97fd47f 33309->33210 33310->33309 33312 97fb70e CreateProcessA 33310->33312 33313 97fb718 CreateProcessA 33310->33313 33311 97fca19 33311->33210 33312->33311 33313->33311 33317 97fca41 33314->33317 33315 97fcb76 33321 97fb3c8 VirtualAllocEx 33315->33321 33322 97fb3d0 VirtualAllocEx 33315->33322 33316 97fd3b8 33317->33315 33318 97fd408 33317->33318 33319 97fb57a ReadProcessMemory 33317->33319 33320 97fb580 ReadProcessMemory 33317->33320 33319->33317 33320->33317 33321->33316 33322->33316 33324 97fb410 VirtualAllocEx 33323->33324 33326 97fb44d 33324->33326 33326->33257 33328 97fb410 VirtualAllocEx 33327->33328 33330 97fb44d 33328->33330 33330->33257 33332 97fb4d8 WriteProcessMemory 33331->33332 33334 97fb52f 33332->33334 33334->33262 33336 97fb4d8 WriteProcessMemory 33335->33336 33338 97fb52f 33336->33338 33338->33262 33340 97fb7a1 CreateProcessA 33339->33340 33342 97fb963 33340->33342 33344 97fb7a1 CreateProcessA 33343->33344 33346 97fb963 33344->33346 33348 97fb5cb ReadProcessMemory 33347->33348 33350 97fb60f 33348->33350 33350->33283 33352 97fb5cb ReadProcessMemory 33351->33352 33354 97fb60f 33352->33354 33354->33283 33356 97fb33d Wow64SetThreadContext 33355->33356 33358 97fb385 33356->33358 33358->33290 33360 97fb33d Wow64SetThreadContext 33359->33360 33362 97fb385 33360->33362 33362->33290 33364 97faa18 ResumeThread 33363->33364 33366 97faa49 33364->33366 33366->33300 33368 97faa18 ResumeThread 33367->33368 33370 97faa49 33368->33370 33370->33300 33371 97fdaf8 33372 97fdc83 33371->33372 33374 97fdb1e 33371->33374 33374->33372 33375 97fd6f4 33374->33375 33376 97fdd78 PostMessageW 33375->33376 33377 97fdde4 33376->33377 33377->33374 33491 14c7830 33492 14c783a 33491->33492 33496 14c7d28 33491->33496 33501 14c7408 33492->33501 33494 14c7855 33497 14c7d4d 33496->33497 33505 14c7e38 33497->33505 33509 14c7e27 33497->33509 33502 14c7413 33501->33502 33504 14ca56f 33502->33504 33517 14c9498 33502->33517 33504->33494 33507 14c7e5f 33505->33507 33506 14c7f3c 33506->33506 33507->33506 33513 14c7a4c 33507->33513 33511 14c7e38 33509->33511 33510 14c7f3c 33510->33510 33511->33510 33512 14c7a4c CreateActCtxA 33511->33512 33512->33510 33514 14c8ec8 CreateActCtxA 33513->33514 33516 14c8f8b 33514->33516 33518 14c94a3 33517->33518 33521 14c9518 33518->33521 33520 14ca8ed 33520->33504 33522 14c9523 33521->33522 33525 14c9548 33522->33525 33524 14ca9c2 33524->33520 33526 14c9553 33525->33526 33529 14c9568 33526->33529 33528 14caac5 33528->33524 33531 14c9573 33529->33531 33530 14cbe09 33530->33528 33531->33530 33534 53c05d8 33531->33534 33540 53c05c8 33531->33540 33535 53c05f9 33534->33535 33536 53c061d 33535->33536 33538 53c0910 10 API calls 33535->33538 33546 53c0899 33535->33546 33551 53c0901 33535->33551 33536->33530 33538->33536 33541 53c05d8 33540->33541 33542 53c061d 33541->33542 33543 53c0899 CreateWindowExW 33541->33543 33544 53c0910 10 API calls 33541->33544 33545 53c0901 10 API calls 33541->33545 33542->33530 33543->33542 33544->33542 33545->33542 33547 53c08b5 33546->33547 33548 53c08ef 33547->33548 33556 53c15ac 33547->33556 33560 53c15b8 33547->33560 33548->33536 33553 53c0920 33551->33553 33552 53c093d 33552->33536 33553->33552 33554 53c09b0 6 API calls 33553->33554 33555 53c09c0 6 API calls 33553->33555 33554->33552 33555->33552 33557 53c15e0 33556->33557 33559 53c1608 33557->33559 33564 53c0ff4 33557->33564 33559->33559 33561 53c15e0 33560->33561 33562 53c0ff4 CreateWindowExW 33561->33562 33563 53c1608 33561->33563 33562->33563 33565 53c0fff 33564->33565 33569 53c33f0 33565->33569 33575 53c3408 33565->33575 33566 53c16b1 33566->33559 33571 53c3539 33569->33571 33572 53c3439 33569->33572 33570 53c3445 33570->33566 33571->33566 33572->33570 33573 53c4260 CreateWindowExW 33572->33573 33574 53c4250 CreateWindowExW 33572->33574 33573->33571 33574->33571 33577 53c3539 33575->33577 33578 53c3439 33575->33578 33576 53c3445 33576->33566 33577->33566 33578->33576 33579 53c4260 CreateWindowExW 33578->33579 33580 53c4250 CreateWindowExW 33578->33580 33579->33577 33580->33577

                                                                                                                                                                              Executed Functions

                                                                                                                                                                              Function 097FE4B8 Relevance: .6, Instructions: 601COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1391038367.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_97f0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: d4074ad425185d562d423c178f9cc890c2279e365272a580a674924fdba60f4d
                                                                                                                                                                              • Instruction ID: 397907fa5f4fd119f6530f1b5e545ba076642c34182e08af85f8ec9e472e487e
                                                                                                                                                                              • Opcode Fuzzy Hash: d4074ad425185d562d423c178f9cc890c2279e365272a580a674924fdba60f4d
                                                                                                                                                                              • Instruction Fuzzy Hash: CF327B72B016059FDB24EFA5C464BAEB7F6AF89700F10846DE206AB3A0DB35DD01CB51
                                                                                                                                                                              Function 014C1A71 Relevance: .3, Instructions: 310COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: d16f3d0984e95e33b261aabed597ae41b76dc0a61374bf66993dfd4eb5b5d302
                                                                                                                                                                              • Instruction ID: 2cb7ab6f7510c37ac700f99aeb1737cbc4d98079f9087ece75ad80715cecb54c
                                                                                                                                                                              • Opcode Fuzzy Hash: d16f3d0984e95e33b261aabed597ae41b76dc0a61374bf66993dfd4eb5b5d302
                                                                                                                                                                              • Instruction Fuzzy Hash: 6DC10138A14201CFC7E9CF24C9C58A6BBB2FF80B15715856FD042CB662D7B5E952CB89
                                                                                                                                                                              Function 053C9AA0 Relevance: .3, Instructions: 295COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1389320608.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_53c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: f5667a11effd2d04cea866c48f638c48d41900416ccccf8d2874fd836c91a9e8
                                                                                                                                                                              • Instruction ID: 3134147fd571bbf3edc6a5955f835594b0ba4c22726c34ac712d55f1e8eafc90
                                                                                                                                                                              • Opcode Fuzzy Hash: f5667a11effd2d04cea866c48f638c48d41900416ccccf8d2874fd836c91a9e8
                                                                                                                                                                              • Instruction Fuzzy Hash: 0FC16F31A002158FDB04EFA4C894AAEBBB2BF84300F1589A9E51AAF355DF70ED45CB51
                                                                                                                                                                              Function 053C9A90 Relevance: .3, Instructions: 291COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1389320608.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_53c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: b94e26ba0c5265dc40c9b876a9838745a69a79f05cd52a98c62c8512c05b4738
                                                                                                                                                                              • Instruction ID: c4b6a7a5e19692c6dda7c52114c1a9d0b770794d13ff1b8c9f430e3af334c9d3
                                                                                                                                                                              • Opcode Fuzzy Hash: b94e26ba0c5265dc40c9b876a9838745a69a79f05cd52a98c62c8512c05b4738
                                                                                                                                                                              • Instruction Fuzzy Hash: 99B16E71A002158FDB04EFA4C894AAEBBB2FF84300F1589A9E50AAF355DF70ED45CB51
                                                                                                                                                                              Function 014C1FE9 Relevance: .3, Instructions: 291COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: d25c5b5c8cef88d9aa5d5017e9b93afbcc9d9794b56cd791cebfe6af3507acb6
                                                                                                                                                                              • Instruction ID: 561d4638178ad431bdaf6f8c80f0836162ee244222ce705b108541baaa5a39c5
                                                                                                                                                                              • Opcode Fuzzy Hash: d25c5b5c8cef88d9aa5d5017e9b93afbcc9d9794b56cd791cebfe6af3507acb6
                                                                                                                                                                              • Instruction Fuzzy Hash: 72B1F038914301CFC3E9CF24C9D58A6BBB1FF41B15725856FD0428B662D7B5E942CB89
                                                                                                                                                                              Function 014C1B4B Relevance: .3, Instructions: 289COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: c7a5ccb103c6934bcecd8724184ef43f86e2941f3f5610e726ad180cd80815a1
                                                                                                                                                                              • Instruction ID: 4c4a40d4a14f810d36a3cb04893ca8dca5a1fb22db5e0f87d0184655b0bf4a72
                                                                                                                                                                              • Opcode Fuzzy Hash: c7a5ccb103c6934bcecd8724184ef43f86e2941f3f5610e726ad180cd80815a1
                                                                                                                                                                              • Instruction Fuzzy Hash: 0BB1F138A14201CFC3E9CF24C9C5CA6BBB1FB40B15716856FD0428B672D7B5E956CB89
                                                                                                                                                                              Function 014C1A45 Relevance: .3, Instructions: 287COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 7f6a9338afd6622e6082b17f5ad0173da1696383ecff7105a98f31f22a4809ce
                                                                                                                                                                              • Instruction ID: 46a43968b0fda7c7039211baf751b345defcd1b00d47f8c5f914252d935f61f0
                                                                                                                                                                              • Opcode Fuzzy Hash: 7f6a9338afd6622e6082b17f5ad0173da1696383ecff7105a98f31f22a4809ce
                                                                                                                                                                              • Instruction Fuzzy Hash: 3DB10238A14201CFC3E9CF24C9C5CA6B7B1FF80B15716856FD0428B662DBB5E956CB89
                                                                                                                                                                              Function 014C1C45 Relevance: .3, Instructions: 286COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 32743b0e42126f7ee32638479ad0e5dd270038bfafb3d3d38f5a45301bab2b43
                                                                                                                                                                              • Instruction ID: 284124732d941984b0b43dbcd4faf64093ee7c35c6198276d40743609e99dc87
                                                                                                                                                                              • Opcode Fuzzy Hash: 32743b0e42126f7ee32638479ad0e5dd270038bfafb3d3d38f5a45301bab2b43
                                                                                                                                                                              • Instruction Fuzzy Hash: E1B1EF38A14201CFC3E9CF24C9C5CA6BBB1FF80B15716856FD0428B662D7B5E952CB89
                                                                                                                                                                              Function 014C1BA3 Relevance: .3, Instructions: 284COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 8af17d598ce5869e6d969ba9c45db0a7cb4efdf3a4deccd901a69c7a53322a4f
                                                                                                                                                                              • Instruction ID: 8aa79c766acbadf88ca8515b09002a3b50d729af2ad9491082e91ca9be1bf820
                                                                                                                                                                              • Opcode Fuzzy Hash: 8af17d598ce5869e6d969ba9c45db0a7cb4efdf3a4deccd901a69c7a53322a4f
                                                                                                                                                                              • Instruction Fuzzy Hash: 67B1EF38A24301CFC3E9CF24C9D5CA6BBB1FB40B15716456FD0428B662E7B5E952CB89
                                                                                                                                                                              Function 014C1FFE Relevance: .3, Instructions: 282COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: d8ddb111ca65f38c2666fb4b5af97d1cc5ceec0e9ae4b35d67f98239cf92c3b2
                                                                                                                                                                              • Instruction ID: de4a7cb9297320b0cc01bb757ef10f11eeb1743df039c3b7c0a75c713ab57049
                                                                                                                                                                              • Opcode Fuzzy Hash: d8ddb111ca65f38c2666fb4b5af97d1cc5ceec0e9ae4b35d67f98239cf92c3b2
                                                                                                                                                                              • Instruction Fuzzy Hash: F6B1F038914301CFC3E9CF24C9C5CA6BBB1FB40B15716456FD0428B662D7B6E952CB89
                                                                                                                                                                              Function 014C1E0A Relevance: .3, Instructions: 282COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 2c7e77ae18cdeea99e027cf3565c7dd99692c99e993e0b6b9ef6067faaffba18
                                                                                                                                                                              • Instruction ID: 4bf6e08ba54943a1b1ab8e8bdffada72a96ee395eb6efd6a5833d7ce2fe230dd
                                                                                                                                                                              • Opcode Fuzzy Hash: 2c7e77ae18cdeea99e027cf3565c7dd99692c99e993e0b6b9ef6067faaffba18
                                                                                                                                                                              • Instruction Fuzzy Hash: 84B1FF38A14301CFC3E9CF24C9C5CA6BBB1FB40B1571685AFD0428B662D7B5E956CB89
                                                                                                                                                                              Function 014C1EFA Relevance: .3, Instructions: 280COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 8bea5f70a7b442e710ab912f2645199622296d4abc5aa21ecebe09988ed4c24f
                                                                                                                                                                              • Instruction ID: e269e125c33c75b7c78e9d517b8f7024ca579fddbec35a4f37e865c544073ebc
                                                                                                                                                                              • Opcode Fuzzy Hash: 8bea5f70a7b442e710ab912f2645199622296d4abc5aa21ecebe09988ed4c24f
                                                                                                                                                                              • Instruction Fuzzy Hash: 6BB1FF38A14201CFC3E9CF24C9D5CA6BBB1FF40B15716856FD0428B662D7B5E952CB8A
                                                                                                                                                                              Function 014C22C8 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 6563ee860da3794b9412024c1d087c01d981d63ce9f0e6d3329c53853a2f2e2b
                                                                                                                                                                              • Instruction ID: 7ad818ffde455b27156cb42b0105b64f2a1e228178b1089b13f955001e986391
                                                                                                                                                                              • Opcode Fuzzy Hash: 6563ee860da3794b9412024c1d087c01d981d63ce9f0e6d3329c53853a2f2e2b
                                                                                                                                                                              • Instruction Fuzzy Hash: 35B12C39A14202CFC399CF29C985866BBB5FB40B00712856FE016CF6A1D7F5ED12CB89
                                                                                                                                                                              Function 014C0CCD Relevance: .2, Instructions: 215COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 51cc7047314ee5d4b47dfa6b5b0b406f49680d03d6f0469a618517318d6fc6a1
                                                                                                                                                                              • Instruction ID: 0245600a9d4fc8927b0711d6c7a510f57e3c694909b013d1889336eee3d3029e
                                                                                                                                                                              • Opcode Fuzzy Hash: 51cc7047314ee5d4b47dfa6b5b0b406f49680d03d6f0469a618517318d6fc6a1
                                                                                                                                                                              • Instruction Fuzzy Hash: 2981D074A01245CFC7A4CFA9C8959AEBBF1FF45714B1080AFE455AB262D7329C06CF91
                                                                                                                                                                              Function 014C0A85 Relevance: .2, Instructions: 206COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: eed4d8d377926f1e9a5ac00bd27d540d10f33b5fc60a951a80a6e10e2cb47102
                                                                                                                                                                              • Instruction ID: c8d5697d453840d597883900d8b82321c34fb2de79cdcf2040c6f21e5ef0b479
                                                                                                                                                                              • Opcode Fuzzy Hash: eed4d8d377926f1e9a5ac00bd27d540d10f33b5fc60a951a80a6e10e2cb47102
                                                                                                                                                                              • Instruction Fuzzy Hash: 6D81DF74A01245CFC7A4DFA9C8959BEBBF1FF45714B2080AFD455AB262D7328C02CB91
                                                                                                                                                                              Function 014C0BD3 Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: d6ce9389e0699b5e6e16467e03e12f33e017123f219429bdaab658a8b4fd6453
                                                                                                                                                                              • Instruction ID: e9d3ec27129ea291d876e79ae4c87788a0e8935356a9097696a44c0d1072c265
                                                                                                                                                                              • Opcode Fuzzy Hash: d6ce9389e0699b5e6e16467e03e12f33e017123f219429bdaab658a8b4fd6453
                                                                                                                                                                              • Instruction Fuzzy Hash: 5281D174A01245CFC7A4DFA9C8959AFBBF1FF45710B1080AFD055AB262D7328C06CB91
                                                                                                                                                                              Function 014C094A Relevance: .2, Instructions: 203COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 257a1cd0d987740a22af37fdcfc5c61dd417e2b090c3e4b956a780b92484b085
                                                                                                                                                                              • Instruction ID: 3de3eed949c86b9eba760217fa81b921f9aa99e45b7974f06a11ffab6b9be67f
                                                                                                                                                                              • Opcode Fuzzy Hash: 257a1cd0d987740a22af37fdcfc5c61dd417e2b090c3e4b956a780b92484b085
                                                                                                                                                                              • Instruction Fuzzy Hash: 7F71C074A11245CFCBA4DFA5C8959BEBBF1FF45710B2080AFD445AB262D7318D02CB51
                                                                                                                                                                              Function 014C08CE Relevance: .2, Instructions: 203COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 0af026b874e0e0fd3b30375a6b0b5bd0b231127b2f923cffa05cbe8629b9042e
                                                                                                                                                                              • Instruction ID: 610e17d5a8803a62c2194f74ead92c5b1d8833c001cb363b4da1b39f5563df07
                                                                                                                                                                              • Opcode Fuzzy Hash: 0af026b874e0e0fd3b30375a6b0b5bd0b231127b2f923cffa05cbe8629b9042e
                                                                                                                                                                              • Instruction Fuzzy Hash: C371D074A01245CFCBA4DFA5C8959BEBBF1FF45710B2480AFD045AB262D7328D06CB91
                                                                                                                                                                              Function 014C08FF Relevance: .2, Instructions: 203COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 84fff841050cec3fee1a1c36ad87f2fe053b45434bf44e6bf99aa77599f1fbe5
                                                                                                                                                                              • Instruction ID: 73ae238980c28cf1cae93c4652483296317389f6a9cd265952e5afa90649dd5b
                                                                                                                                                                              • Opcode Fuzzy Hash: 84fff841050cec3fee1a1c36ad87f2fe053b45434bf44e6bf99aa77599f1fbe5
                                                                                                                                                                              • Instruction Fuzzy Hash: A681D174A00245CFCBA4DFA5C895ABEBBF1FF85714B1080AFD045AB262D7318D02CB51
                                                                                                                                                                              Function 014CA54B Relevance: .2, Instructions: 199COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: b8011c4122765d9e3d71579ddc3a7035cde61822310e305973d019c3d3fd369d
                                                                                                                                                                              • Instruction ID: f3ec56f0cee36afc185aedadaa7df02a599c5c7cd3924eae6481b25521916478
                                                                                                                                                                              • Opcode Fuzzy Hash: b8011c4122765d9e3d71579ddc3a7035cde61822310e305973d019c3d3fd369d
                                                                                                                                                                              • Instruction Fuzzy Hash: 5B611638B047058BCB84ABB8C85466EBBA3ABD5604B10C93FD046DF3A5DF34DD068795
                                                                                                                                                                              Function 014C0E04 Relevance: .2, Instructions: 197COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 1cffdd987280316a14218643384eb26f8d2d2ac206dc5c6254396c66be8ea9d7
                                                                                                                                                                              • Instruction ID: ffe0256cc59aa338347900a1a780b9d96ea589a57f40d1f5a2eec10c7c1082a0
                                                                                                                                                                              • Opcode Fuzzy Hash: 1cffdd987280316a14218643384eb26f8d2d2ac206dc5c6254396c66be8ea9d7
                                                                                                                                                                              • Instruction Fuzzy Hash: 3171D074A11245CFC7A4DFA9C8999BEBBF1FF45314B2080AFD055AB262D7328D06CB91
                                                                                                                                                                              Function 014C0EAB Relevance: .2, Instructions: 197COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: e5408ef7407eb83ff0e5f38c8b6e92776a1e022b052420343139f44b6e27c049
                                                                                                                                                                              • Instruction ID: 6b184f58bd295a2cfb1a5a05986879e1a6504575ec6931ffc77c6894d974ebb6
                                                                                                                                                                              • Opcode Fuzzy Hash: e5408ef7407eb83ff0e5f38c8b6e92776a1e022b052420343139f44b6e27c049
                                                                                                                                                                              • Instruction Fuzzy Hash: 8B71D174A11245CFC7A4DFA9C8999BEBBF1FF45314B24809FD055AB262D7328C06CB91
                                                                                                                                                                              Function 014C09AB Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 98c06bad6d37acc78c24732648475027edb2195c6a3ca4d348f492669a982c4d
                                                                                                                                                                              • Instruction ID: d7de7e65fc0bba60b64f1cd14f221a6b07a2f7fdfe7c04555f02881468c23b48
                                                                                                                                                                              • Opcode Fuzzy Hash: 98c06bad6d37acc78c24732648475027edb2195c6a3ca4d348f492669a982c4d
                                                                                                                                                                              • Instruction Fuzzy Hash: 7171C074A11245CFC7A4DFA9C8959BEBBF1FF45314B2080AFD055AB262D7328D06CB91
                                                                                                                                                                              Function 014C0B9F Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 77e6309ca6d551645e7f77031796ef196f5c987328c0bc842b3098d2ce05b190
                                                                                                                                                                              • Instruction ID: 44cb0756870b774c361172a0135cb3d68a82bacae39a8ba61bfa21117e5b4120
                                                                                                                                                                              • Opcode Fuzzy Hash: 77e6309ca6d551645e7f77031796ef196f5c987328c0bc842b3098d2ce05b190
                                                                                                                                                                              • Instruction Fuzzy Hash: 3E71CF74A01245CFC7A8DFA9C8999BEBBF1FF45310B2080AFD055AB262D7318D06CB91
                                                                                                                                                                              Function 014C0A0C Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 2985aa6bbd339d7e273db4f614741e18b6e2374e666002d1143700406fd50cc6
                                                                                                                                                                              • Instruction ID: af43cd0ac2ca626d2995a1c4c7e0b987207de066ae3f1d0ecdf5e3b44f5789c8
                                                                                                                                                                              • Opcode Fuzzy Hash: 2985aa6bbd339d7e273db4f614741e18b6e2374e666002d1143700406fd50cc6
                                                                                                                                                                              • Instruction Fuzzy Hash: 2E71CF74A01245CFC7A8DFA9C8959BEBBF1FF45314B2080AFD455AB262D7328D06CB91
                                                                                                                                                                              Function 014C0C99 Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 1dfc3310d4715ad56a325426e067f1997bf3f4e0a1bdc946a854b94b1209ede3
                                                                                                                                                                              • Instruction ID: e77cd282687b72c997d571d936a7434ac8427f73e89b1c3f73f094cb8dc7ac64
                                                                                                                                                                              • Opcode Fuzzy Hash: 1dfc3310d4715ad56a325426e067f1997bf3f4e0a1bdc946a854b94b1209ede3
                                                                                                                                                                              • Instruction Fuzzy Hash: D471D074A01245CFC7A8DFA9C8959BEBBF1FF45314B1080AFE055AB262D7318D06CB91
                                                                                                                                                                              Function 014C097E Relevance: .2, Instructions: 194COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 34da7cd71e3cbd9a90d93b4500c8bb11eabd4922a18dce88244d808b8ab908e7
                                                                                                                                                                              • Instruction ID: 9a6cffce359effaba11c4445f22c30880dd63e224b99980fbbcccd66d4517ea3
                                                                                                                                                                              • Opcode Fuzzy Hash: 34da7cd71e3cbd9a90d93b4500c8bb11eabd4922a18dce88244d808b8ab908e7
                                                                                                                                                                              • Instruction Fuzzy Hash: EA71C074A11245CFCBA8DFA9C8959BEBBB1FF45314B20409FD045AF262D7318D02CB95
                                                                                                                                                                              Function 014C09DF Relevance: .2, Instructions: 194COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: f0f68039057f401cc126c65b7702d322019730eeb42c3de1de56565fc46d7e44
                                                                                                                                                                              • Instruction ID: af40ca98874c9dd2c71f26461cf9b913086ecabd8ce4831d95e97528212f2d1a
                                                                                                                                                                              • Opcode Fuzzy Hash: f0f68039057f401cc126c65b7702d322019730eeb42c3de1de56565fc46d7e44
                                                                                                                                                                              • Instruction Fuzzy Hash: 1271C074A11245CFCBA8DFA9C8959BEBBB1FF45314B20409FD045AF262D7358D06CB91
                                                                                                                                                                              Function 014C0D67 Relevance: .2, Instructions: 194COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: f033c7c579130bcb7e9c8d06c8cff7639894ad2552d5f0d18c0293b1b9fe79aa
                                                                                                                                                                              • Instruction ID: 99dab7bf71d6e470126b0c1436a723b2d4abb1e7548eb92d1b5c3329f978ce81
                                                                                                                                                                              • Opcode Fuzzy Hash: f033c7c579130bcb7e9c8d06c8cff7639894ad2552d5f0d18c0293b1b9fe79aa
                                                                                                                                                                              • Instruction Fuzzy Hash: 0971D074A11245CFCBA8DFA9C8959BEBBB1FF45314B20409ED045AB262D7318D06CB91
                                                                                                                                                                              Function 014C0B1B Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 7aa27844fb633f74b93f948c42b35a0f09dc45e3bdda7eb34b7ef8e4149a665b
                                                                                                                                                                              • Instruction ID: 424f97d0cbeb34c7148c4c535aff34bcc50f53e859832d13d98cb9cf554a5707
                                                                                                                                                                              • Opcode Fuzzy Hash: 7aa27844fb633f74b93f948c42b35a0f09dc45e3bdda7eb34b7ef8e4149a665b
                                                                                                                                                                              • Instruction Fuzzy Hash: D071D074A10245CFCBA8DFA5C8959BEBBF1FF45314B2040AED445AF262D7318D06CB95
                                                                                                                                                                              Function 014C7408 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 4bcaa39e20b9ca40884476982e3762455cf48f9d7c932b97d933f271cbeda6e3
                                                                                                                                                                              • Instruction ID: c03cab23615069f30d61eb6fdaf2f6ee2a7a3d9dcb884b5d60c48927997f0ff5
                                                                                                                                                                              • Opcode Fuzzy Hash: 4bcaa39e20b9ca40884476982e3762455cf48f9d7c932b97d933f271cbeda6e3
                                                                                                                                                                              • Instruction Fuzzy Hash: A461E438B047058BCB88ABB8C95566FA7A7ABD4704F10C93ED046DB3A4DF34DD068795
                                                                                                                                                                              Function 097FC838 Relevance: .2, Instructions: 153COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1391038367.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_97f0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: cff327b3d61411a49bcc86bb5415219a1acb80ebeed7e09fe87fef3aeb2039fa
                                                                                                                                                                              • Instruction ID: 379463b6fcb18f1d8a04f31981a72d621759115c671150ecd2d500acbaa3a3c9
                                                                                                                                                                              • Opcode Fuzzy Hash: cff327b3d61411a49bcc86bb5415219a1acb80ebeed7e09fe87fef3aeb2039fa
                                                                                                                                                                              • Instruction Fuzzy Hash: F2511672D056198FEB28CF66C8507E9FBB6BF8A300F14C1AAD549B6254EB701A85CF40
                                                                                                                                                                              Function 053C09B0 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              APIs
                                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 053C0A3E
                                                                                                                                                                              • GetCurrentThread.KERNEL32 ref: 053C0A7B
                                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 053C0AB8
                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 053C0B11
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1389320608.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_53c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2063062207-0
                                                                                                                                                                              • Opcode ID: eee6a5b328948e0f1f23fbe520bbc55d0dc2323b1427db0c7342f3dbda1a764a
                                                                                                                                                                              • Instruction ID: 75e2a98a93ca79cf2f305ed8d1366dd3edb383abf6e1c08b8de520dbbe0acb57
                                                                                                                                                                              • Opcode Fuzzy Hash: eee6a5b328948e0f1f23fbe520bbc55d0dc2323b1427db0c7342f3dbda1a764a
                                                                                                                                                                              • Instruction Fuzzy Hash: 165186B0901749CFDB54CFA9C948BEEBBF1AF88300F208469E049A7391DB749C45CB65
                                                                                                                                                                              Function 053C09C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              APIs
                                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 053C0A3E
                                                                                                                                                                              • GetCurrentThread.KERNEL32 ref: 053C0A7B
                                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 053C0AB8
                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 053C0B11
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1389320608.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_53c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2063062207-0
                                                                                                                                                                              • Opcode ID: ea2c0030aafb6f78b65f57a88585047767f83388ec3393c368449ec11a8331c4
                                                                                                                                                                              • Instruction ID: 0ab0d3ba4503b3486af02a9e9b4e624705bbf066748bbbe11c4cf47634ab2d34
                                                                                                                                                                              • Opcode Fuzzy Hash: ea2c0030aafb6f78b65f57a88585047767f83388ec3393c368449ec11a8331c4
                                                                                                                                                                              • Instruction Fuzzy Hash: D15165B0901749CFDB58CFAAC948B9EBBF1BF88304F208469E049A7390DB749D44CB65
                                                                                                                                                                              Function 097FB70E Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 48 97fb70e-97fb7ad 50 97fb7af-97fb7b9 48->50 51 97fb7e6-97fb806 48->51 50->51 52 97fb7bb-97fb7bd 50->52 58 97fb83f-97fb86e 51->58 59 97fb808-97fb812 51->59 53 97fb7bf-97fb7c9 52->53 54 97fb7e0-97fb7e3 52->54 56 97fb7cd-97fb7dc 53->56 57 97fb7cb 53->57 54->51 56->56 60 97fb7de 56->60 57->56 67 97fb8a7-97fb961 CreateProcessA 58->67 68 97fb870-97fb87a 58->68 59->58 61 97fb814-97fb816 59->61 60->54 62 97fb839-97fb83c 61->62 63 97fb818-97fb822 61->63 62->58 65 97fb826-97fb835 63->65 66 97fb824 63->66 65->65 69 97fb837 65->69 66->65 79 97fb96a-97fb9f0 67->79 80 97fb963-97fb969 67->80 68->67 70 97fb87c-97fb87e 68->70 69->62 72 97fb8a1-97fb8a4 70->72 73 97fb880-97fb88a 70->73 72->67 74 97fb88e-97fb89d 73->74 75 97fb88c 73->75 74->74 77 97fb89f 74->77 75->74 77->72 90 97fb9f2-97fb9f6 79->90 91 97fba00-97fba04 79->91 80->79 90->91 92 97fb9f8 90->92 93 97fba06-97fba0a 91->93 94 97fba14-97fba18 91->94 92->91 93->94 95 97fba0c 93->95 96 97fba1a-97fba1e 94->96 97 97fba28-97fba2c 94->97 95->94 96->97 98 97fba20 96->98 99 97fba3e-97fba45 97->99 100 97fba2e-97fba34 97->100 98->97 101 97fba5c 99->101 102 97fba47-97fba56 99->102 100->99 104 97fba5d 101->104 102->101 104->104
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 097FB94E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1391038367.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_97f0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CreateProcess
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 963392458-0
                                                                                                                                                                              • Opcode ID: ab9a5f7460fb4b92498994af1787ec52ede6d63cc22d7e372b813c6637ad75fd
                                                                                                                                                                              • Instruction ID: 76cef69f6ae9e06c3addc504b311904b0ef157d2708f6ba5cf8961909f8fe96d
                                                                                                                                                                              • Opcode Fuzzy Hash: ab9a5f7460fb4b92498994af1787ec52ede6d63cc22d7e372b813c6637ad75fd
                                                                                                                                                                              • Instruction Fuzzy Hash: EDA13B72D00319DFEB24CFA8C8517AEBBB2BF84310F14816AE959B7250DB749985CF91
                                                                                                                                                                              Function 097FB718 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 105 97fb718-97fb7ad 107 97fb7af-97fb7b9 105->107 108 97fb7e6-97fb806 105->108 107->108 109 97fb7bb-97fb7bd 107->109 115 97fb83f-97fb86e 108->115 116 97fb808-97fb812 108->116 110 97fb7bf-97fb7c9 109->110 111 97fb7e0-97fb7e3 109->111 113 97fb7cd-97fb7dc 110->113 114 97fb7cb 110->114 111->108 113->113 117 97fb7de 113->117 114->113 124 97fb8a7-97fb961 CreateProcessA 115->124 125 97fb870-97fb87a 115->125 116->115 118 97fb814-97fb816 116->118 117->111 119 97fb839-97fb83c 118->119 120 97fb818-97fb822 118->120 119->115 122 97fb826-97fb835 120->122 123 97fb824 120->123 122->122 126 97fb837 122->126 123->122 136 97fb96a-97fb9f0 124->136 137 97fb963-97fb969 124->137 125->124 127 97fb87c-97fb87e 125->127 126->119 129 97fb8a1-97fb8a4 127->129 130 97fb880-97fb88a 127->130 129->124 131 97fb88e-97fb89d 130->131 132 97fb88c 130->132 131->131 134 97fb89f 131->134 132->131 134->129 147 97fb9f2-97fb9f6 136->147 148 97fba00-97fba04 136->148 137->136 147->148 149 97fb9f8 147->149 150 97fba06-97fba0a 148->150 151 97fba14-97fba18 148->151 149->148 150->151 152 97fba0c 150->152 153 97fba1a-97fba1e 151->153 154 97fba28-97fba2c 151->154 152->151 153->154 155 97fba20 153->155 156 97fba3e-97fba45 154->156 157 97fba2e-97fba34 154->157 155->154 158 97fba5c 156->158 159 97fba47-97fba56 156->159 157->156 161 97fba5d 158->161 159->158 161->161
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 097FB94E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1391038367.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_97f0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CreateProcess
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 963392458-0
                                                                                                                                                                              • Opcode ID: bbc58969a00c38a9187546198d517d8c2720eae4067c0ed24f7b4251d5dc4d0a
                                                                                                                                                                              • Instruction ID: 56eedb3ed992b3d1632578bdf60f9771babae80e6b86a944f1b4293824455808
                                                                                                                                                                              • Opcode Fuzzy Hash: bbc58969a00c38a9187546198d517d8c2720eae4067c0ed24f7b4251d5dc4d0a
                                                                                                                                                                              • Instruction Fuzzy Hash: 9E914B72D00319CFEB14CFA8C8517AEBBB2BF84310F14816AE959B7240DB749985CF91
                                                                                                                                                                              Function 053C5138 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 162 53c5138-53c513c 163 53c519c-53c51f6 162->163 164 53c513e-53c5170 call 53c2ff8 162->164 166 53c51f8-53c51fe 163->166 167 53c5201-53c5208 163->167 168 53c5175-53c5176 164->168 166->167 169 53c520a-53c5210 167->169 170 53c5213-53c52b2 CreateWindowExW 167->170 169->170 173 53c52bb-53c52f3 170->173 174 53c52b4-53c52ba 170->174 178 53c52f5-53c52f8 173->178 179 53c5300 173->179 174->173 178->179 180 53c5301 179->180 180->180
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053C52A2
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1389320608.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_53c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CreateWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 716092398-0
                                                                                                                                                                              • Opcode ID: be37da3384a9c086e5bcda901db6632fa6e8e2ed69755d507c788ba7dd3a4f5a
                                                                                                                                                                              • Instruction ID: 32c5d0cf15eee2d1e4b1e900fe51577242b6b302ac70cb725aa6c76445228483
                                                                                                                                                                              • Opcode Fuzzy Hash: be37da3384a9c086e5bcda901db6632fa6e8e2ed69755d507c788ba7dd3a4f5a
                                                                                                                                                                              • Instruction Fuzzy Hash: CF51BEB1C00209AFDF15CF99D884ADDBFB6BF48300F14816AE919AB220D775A895CF50
                                                                                                                                                                              Function 053C518D Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 181 53c518d-53c51f6 183 53c51f8-53c51fe 181->183 184 53c5201-53c5208 181->184 183->184 185 53c520a-53c5210 184->185 186 53c5213-53c524b 184->186 185->186 188 53c5253-53c52b2 CreateWindowExW 186->188 189 53c52bb-53c52f3 188->189 190 53c52b4-53c52ba 188->190 194 53c52f5-53c52f8 189->194 195 53c5300 189->195 190->189 194->195 196 53c5301 195->196 196->196
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053C52A2
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1389320608.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_53c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CreateWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 716092398-0
                                                                                                                                                                              • Opcode ID: 181667207d9587f302266eda85f82fd069b10c6d2babd193df53fb74164d8c56
                                                                                                                                                                              • Instruction ID: 52760e8ee5d0254796dbf77843045b377f245df5863ef7dcb3af24101e3ca045
                                                                                                                                                                              • Opcode Fuzzy Hash: 181667207d9587f302266eda85f82fd069b10c6d2babd193df53fb74164d8c56
                                                                                                                                                                              • Instruction Fuzzy Hash: F751A3B1D103499FDB14CF99D884ADEBFB5BF88310F24816EE819AB210D7B5A845CF50
                                                                                                                                                                              Function 053C5190 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 197 53c5190-53c51f6 199 53c51f8-53c51fe 197->199 200 53c5201-53c5208 197->200 199->200 201 53c520a-53c5210 200->201 202 53c5213-53c524b 200->202 201->202 204 53c5253-53c52b2 CreateWindowExW 202->204 205 53c52bb-53c52f3 204->205 206 53c52b4-53c52ba 204->206 210 53c52f5-53c52f8 205->210 211 53c5300 205->211 206->205 210->211 212 53c5301 211->212 212->212
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053C52A2
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1389320608.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_53c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CreateWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 716092398-0
                                                                                                                                                                              • Opcode ID: 3989a990031c4d2c2eb14cdd46d15b523b2b5e0885aceeb24f73dc21642367cc
                                                                                                                                                                              • Instruction ID: 84eb5c5742287f5bb08164f95f21f155cf64d2a2dd61a0793aea1da01a3fa3c9
                                                                                                                                                                              • Opcode Fuzzy Hash: 3989a990031c4d2c2eb14cdd46d15b523b2b5e0885aceeb24f73dc21642367cc
                                                                                                                                                                              • Instruction Fuzzy Hash: 6141A0B1D103499FDB14CF99C884ADEBFF5BF88310F64812AE819AB210D7B5A845CF90
                                                                                                                                                                              Function 014C8EBC Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 213 14c8ebc-14c8ec6 214 14c8ec8-14c8f89 CreateActCtxA 213->214 216 14c8f8b-14c8f91 214->216 217 14c8f92-14c8fec 214->217 216->217 224 14c8fee-14c8ff1 217->224 225 14c8ffb-14c8fff 217->225 224->225 226 14c9010 225->226 227 14c9001-14c900d 225->227 229 14c9011 226->229 227->226 229->229
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 014C8F79
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Create
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                              • Opcode ID: d68fdd8ded1b212e9d7ab758663e193a4d2556a6850355b388fb590843e651f3
                                                                                                                                                                              • Instruction ID: 7e0661d7c22fc0f569fe3718146773784242099714b4477a31277f50ea1ae03a
                                                                                                                                                                              • Opcode Fuzzy Hash: d68fdd8ded1b212e9d7ab758663e193a4d2556a6850355b388fb590843e651f3
                                                                                                                                                                              • Instruction Fuzzy Hash: CE41E1B0C00719CFEB24CFA9C844BDEBBB5BF49704F20806AD548AB261DB756946CF90
                                                                                                                                                                              Function 053C314C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 230 53c314c-53c779c 233 53c784c-53c786c call 53c3024 230->233 234 53c77a2-53c77a7 230->234 241 53c786f-53c787c 233->241 235 53c77a9-53c77e0 234->235 236 53c77fa-53c7832 CallWindowProcW 234->236 244 53c77e9-53c77f8 235->244 245 53c77e2-53c77e8 235->245 238 53c783b-53c784a 236->238 239 53c7834-53c783a 236->239 238->241 239->238 244->241 245->244
                                                                                                                                                                              APIs
                                                                                                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 053C7821
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1389320608.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_53c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CallProcWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2714655100-0
                                                                                                                                                                              • Opcode ID: b1befebe9461f57f7960294ec65583c6f2df63c2e1ebc14fec8bf3095b84472c
                                                                                                                                                                              • Instruction ID: 786f56ea883df97c9208ba3fa2ccfabf1d3b6701208d115537ffddd165526ace
                                                                                                                                                                              • Opcode Fuzzy Hash: b1befebe9461f57f7960294ec65583c6f2df63c2e1ebc14fec8bf3095b84472c
                                                                                                                                                                              • Instruction Fuzzy Hash: 364129B9900709CFCB14CF99C488AAABBF5FF88314F15849DD559AB321D775A841CFA0
                                                                                                                                                                              Function 014C7A4C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 247 14c7a4c-14c8f89 CreateActCtxA 250 14c8f8b-14c8f91 247->250 251 14c8f92-14c8fec 247->251 250->251 258 14c8fee-14c8ff1 251->258 259 14c8ffb-14c8fff 251->259 258->259 260 14c9010 259->260 261 14c9001-14c900d 259->261 263 14c9011 260->263 261->260 263->263
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 014C8F79
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Create
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                              • Opcode ID: 2b95900002f2e10c3b3c14b4acd7f9384a053a86adf81ca0dca19eef6c5f2b61
                                                                                                                                                                              • Instruction ID: 665bb7397a345850804809d5b98ffd1ff17832681b8abe0a0ec9d830c094a42c
                                                                                                                                                                              • Opcode Fuzzy Hash: 2b95900002f2e10c3b3c14b4acd7f9384a053a86adf81ca0dca19eef6c5f2b61
                                                                                                                                                                              • Instruction Fuzzy Hash: 0D41E2B4C00719CFEB24CFA9C844B9EBBB5BF48704F20806AD558AB251DBB56946CF90
                                                                                                                                                                              Function 097FB488 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 264 97fb488-97fb4de 266 97fb4ee-97fb52d WriteProcessMemory 264->266 267 97fb4e0-97fb4ec 264->267 269 97fb52f-97fb535 266->269 270 97fb536-97fb566 266->270 267->266 269->270
                                                                                                                                                                              APIs
                                                                                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 097FB520
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1391038367.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_97f0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MemoryProcessWrite
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3559483778-0
                                                                                                                                                                              • Opcode ID: 1a1dc708188413360df313acfd7492dc33ed13fbbdabe49dfab66c3be3ea6e75
                                                                                                                                                                              • Instruction ID: 6a6957d7127f95566ceb28da101c5dfe5c6d2d8eb972d824e8c2ba45dba649b9
                                                                                                                                                                              • Opcode Fuzzy Hash: 1a1dc708188413360df313acfd7492dc33ed13fbbdabe49dfab66c3be3ea6e75
                                                                                                                                                                              • Instruction Fuzzy Hash: 682135719003499FDB10CFA9C885BEEBBF1FF48310F14842AE959A7240C7789945CBA4
                                                                                                                                                                              Function 097FB490 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 274 97fb490-97fb4de 276 97fb4ee-97fb52d WriteProcessMemory 274->276 277 97fb4e0-97fb4ec 274->277 279 97fb52f-97fb535 276->279 280 97fb536-97fb566 276->280 277->276 279->280
                                                                                                                                                                              APIs
                                                                                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 097FB520
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1391038367.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_97f0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MemoryProcessWrite
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3559483778-0
                                                                                                                                                                              • Opcode ID: 6ebb62f8870392951a2bca59acc0931ff6c3a58d26fca8a15329c4eb37589e4e
                                                                                                                                                                              • Instruction ID: 1ae41318bc201df7df56af13b4520c63251c47dfac0e3a79ffb50037aa778541
                                                                                                                                                                              • Opcode Fuzzy Hash: 6ebb62f8870392951a2bca59acc0931ff6c3a58d26fca8a15329c4eb37589e4e
                                                                                                                                                                              • Instruction Fuzzy Hash: 012126759003499FDB10CFAAC885BEEBBF5FF48310F14842AE959A7241C7799944CBA4
                                                                                                                                                                              Function 053C0C00 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 284 53c0c00-53c0c9c DuplicateHandle 285 53c0c9e-53c0ca4 284->285 286 53c0ca5-53c0cc2 284->286 285->286
                                                                                                                                                                              APIs
                                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 053C0C8F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1389320608.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_53c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                                              • Opcode ID: 6053219956253bcaf5d93d958369a3d7ba70249dd032d410f34f82e3fc6c5701
                                                                                                                                                                              • Instruction ID: 53207dff371cc7748f3383ac67e313344cbd3dca7ad0a46b0b00d0905787169b
                                                                                                                                                                              • Opcode Fuzzy Hash: 6053219956253bcaf5d93d958369a3d7ba70249dd032d410f34f82e3fc6c5701
                                                                                                                                                                              • Instruction Fuzzy Hash: 2921E6B5900258DFDB10CFAAD884AEEBFF4FB48310F14846AE999A7351C3759945CF60
                                                                                                                                                                              Function 097FB2F2 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 289 97fb2f2-97fb343 291 97fb345-97fb351 289->291 292 97fb353-97fb383 Wow64SetThreadContext 289->292 291->292 294 97fb38c-97fb3bc 292->294 295 97fb385-97fb38b 292->295 295->294
                                                                                                                                                                              APIs
                                                                                                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 097FB376
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1391038367.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_97f0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ContextThreadWow64
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 983334009-0
                                                                                                                                                                              • Opcode ID: 77fd9c43a90bea810317b18e48bd23e8231b12050caa994e6b716e8e63a2272a
                                                                                                                                                                              • Instruction ID: 971db3ebb9bdbec5b3514ad77ab0d54146cb45bee7f7ae9310ab0cee756914c7
                                                                                                                                                                              • Opcode Fuzzy Hash: 77fd9c43a90bea810317b18e48bd23e8231b12050caa994e6b716e8e63a2272a
                                                                                                                                                                              • Instruction Fuzzy Hash: 75213472D003098FDB14CFAAC4857EEBBF4EF88310F54842AD559A7241CBB89949CFA4
                                                                                                                                                                              Function 097FB57A Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 299 97fb57a-97fb60d ReadProcessMemory 302 97fb60f-97fb615 299->302 303 97fb616-97fb646 299->303 302->303
                                                                                                                                                                              APIs
                                                                                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 097FB600
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1391038367.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_97f0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MemoryProcessRead
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1726664587-0
                                                                                                                                                                              • Opcode ID: c5bc289256475f022fed734e374ec9379256127ef0f4eee086bc5e74be0b26dc
                                                                                                                                                                              • Instruction ID: 74748f261f28dd199097948b0be58dad121cb7c8982868d6d8a71eb74c6e8db1
                                                                                                                                                                              • Opcode Fuzzy Hash: c5bc289256475f022fed734e374ec9379256127ef0f4eee086bc5e74be0b26dc
                                                                                                                                                                              • Instruction Fuzzy Hash: 562127B18003499FDB10CFAAC845BEEBBF5FF48310F14842AE559A7250C7749945CBA4
                                                                                                                                                                              Function 097FB2F8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 097FB376
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1391038367.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_97f0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ContextThreadWow64
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 983334009-0
                                                                                                                                                                              • Opcode ID: 52a4c361ad8dfb5cafeefff668f35b10fde955e7131d79d80cb04ed6e2a736a5
                                                                                                                                                                              • Instruction ID: edfef26095d2cc3ece143b7dc1d87f9975bfda3b8e09a553751ac39553175f76
                                                                                                                                                                              • Opcode Fuzzy Hash: 52a4c361ad8dfb5cafeefff668f35b10fde955e7131d79d80cb04ed6e2a736a5
                                                                                                                                                                              • Instruction Fuzzy Hash: 872135729003098FDB10DFAAC8857EEBBF4EF48310F54842AD559A7241CBB89945CFA4
                                                                                                                                                                              Function 097FB580 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 097FB600
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1391038367.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_97f0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MemoryProcessRead
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1726664587-0
                                                                                                                                                                              • Opcode ID: 8149f7cbf9011f61b986c62f35008d3fca52b66d852250d4fd8652fd34f03153
                                                                                                                                                                              • Instruction ID: 7a83c893004d8a58b03cbd55f1441379c7109f2d49d2adef93dc7f64f8fbbc95
                                                                                                                                                                              • Opcode Fuzzy Hash: 8149f7cbf9011f61b986c62f35008d3fca52b66d852250d4fd8652fd34f03153
                                                                                                                                                                              • Instruction Fuzzy Hash: 2D2125B18003499FDB10DFAAC885BEEBBF5FF48310F54842AE958A7241C7799941CBA4
                                                                                                                                                                              Function 053C0C08 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 053C0C8F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1389320608.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_53c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                                              • Opcode ID: e0f0e0fce54d53c67fdd86cc5ee831da730b67f0864500bc1dedb3a8682dddd6
                                                                                                                                                                              • Instruction ID: bee4058a732a487c7564b1ac84287a5a4cee6fbb1559105e669f654edea7f5a2
                                                                                                                                                                              • Opcode Fuzzy Hash: e0f0e0fce54d53c67fdd86cc5ee831da730b67f0864500bc1dedb3a8682dddd6
                                                                                                                                                                              • Instruction Fuzzy Hash: 6721E4B5900248DFDB10CF9AD884ADEBBF4FB48310F14842AE958A7350D374A944CF64
                                                                                                                                                                              Function 053C4F58 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053C52A2
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1389320608.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_53c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CreateWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 716092398-0
                                                                                                                                                                              • Opcode ID: 604adf22786e075dc5887a845234b0078b63c19d474b3f4fe1a64ff233df292e
                                                                                                                                                                              • Instruction ID: c86d7de21e086429055a44f985d4a23601c9cfb4198811ae06c16d1185c226bb
                                                                                                                                                                              • Opcode Fuzzy Hash: 604adf22786e075dc5887a845234b0078b63c19d474b3f4fe1a64ff233df292e
                                                                                                                                                                              • Instruction Fuzzy Hash: 8A21BE71800208EFDF15CF94D894ADDBFB5FF48304F248159E809AB260C7B5A845CF60
                                                                                                                                                                              Function 097FB3C8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 097FB43E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1391038367.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_97f0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AllocVirtual
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4275171209-0
                                                                                                                                                                              • Opcode ID: b39819b724e742c95fff8b151b778c6499ffd1749c6f05876c6a1a390ba7175e
                                                                                                                                                                              • Instruction ID: eb345e2cf718c77be2890d52bae36fc78e0a40e16dd14eba02d43b2c65dc95a5
                                                                                                                                                                              • Opcode Fuzzy Hash: b39819b724e742c95fff8b151b778c6499ffd1749c6f05876c6a1a390ba7175e
                                                                                                                                                                              • Instruction Fuzzy Hash: 4A1147718003489FDB10CFAAD844BEEBBF5EB88310F24842AE959A7250C7759955CFA0
                                                                                                                                                                              Function 097FB3D0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 097FB43E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1391038367.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_97f0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AllocVirtual
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4275171209-0
                                                                                                                                                                              • Opcode ID: b982a0692c0c267459d1f4d82b91c3d02f319c6d3e9daaa7f452d179b4d7256c
                                                                                                                                                                              • Instruction ID: 5caeda3b491e6e739b770b19d8de60d1a8db66b7e3106bee6ab7eae89ba2318e
                                                                                                                                                                              • Opcode Fuzzy Hash: b982a0692c0c267459d1f4d82b91c3d02f319c6d3e9daaa7f452d179b4d7256c
                                                                                                                                                                              • Instruction Fuzzy Hash: E51137728003489FDF10DFAAC844BEEBBF5EF48314F148429E959A7250C7759954CFA4
                                                                                                                                                                              Function 097FA9D0 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1391038367.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_97f0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ResumeThread
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 947044025-0
                                                                                                                                                                              • Opcode ID: 63ae04373bdd1b291f6a4b548cd23f08e93d252b661d5013dfb0a6c000ee4658
                                                                                                                                                                              • Instruction ID: 0d9dceba3efd4cf2f9f01802ed08095e3cc01ddc0331cd269dce50ff42c2d3e1
                                                                                                                                                                              • Opcode Fuzzy Hash: 63ae04373bdd1b291f6a4b548cd23f08e93d252b661d5013dfb0a6c000ee4658
                                                                                                                                                                              • Instruction Fuzzy Hash: C81188B19003088FDB24CFAAC8457EEBBF1EB88310F14842AD559B7350CB79A945CFA4
                                                                                                                                                                              Function 097FA9D8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1391038367.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_97f0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ResumeThread
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 947044025-0
                                                                                                                                                                              • Opcode ID: d87eeca8dbc9c4a6197c0110b251ed7062362e7c9127ec6f9ded7cac4b604e0a
                                                                                                                                                                              • Instruction ID: e3f3c97be5d5f15b2658a8a34ef26b6866abf8ed31a3e2e31ea7c9de774aa2a5
                                                                                                                                                                              • Opcode Fuzzy Hash: d87eeca8dbc9c4a6197c0110b251ed7062362e7c9127ec6f9ded7cac4b604e0a
                                                                                                                                                                              • Instruction Fuzzy Hash: 711128B19003488FDB24DFAAC84579EFBF4EB88314F148429D559A7240CB75A945CBA4
                                                                                                                                                                              Function 097FD6F4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 097FDDD5
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1391038367.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_97f0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessagePost
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 410705778-0
                                                                                                                                                                              • Opcode ID: 1f65dc4116facd283e9c782c1bb724108028c5c96cb569a5c1aa401d53c7e370
                                                                                                                                                                              • Instruction ID: 98b1b81baee0ec065152a7c22d823f7fcc9ffa87d976500b865b4fc146965ac5
                                                                                                                                                                              • Opcode Fuzzy Hash: 1f65dc4116facd283e9c782c1bb724108028c5c96cb569a5c1aa401d53c7e370
                                                                                                                                                                              • Instruction Fuzzy Hash: 6711E0B58007489FDB20CF9AC848BEEBBF8FB48310F10845AE958A7740C375A944CFA1
                                                                                                                                                                              Function 014CE798 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 014CE7FE
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                                              • Opcode ID: 3d586cb6a69f320879e4dde7e555dd869030a71642ee4f6a5d1d82dee7c703f1
                                                                                                                                                                              • Instruction ID: 9669e3a09b182578ef6fd90aa8fcf831ce5b12771c6c779e9a8f6b4e9d96bbbf
                                                                                                                                                                              • Opcode Fuzzy Hash: 3d586cb6a69f320879e4dde7e555dd869030a71642ee4f6a5d1d82dee7c703f1
                                                                                                                                                                              • Instruction Fuzzy Hash: AF1102B5C006498FDB10CF9AC844BDEFBF4AB88610F10842AD459B7210C375A545CFA1
                                                                                                                                                                              Function 010ED01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1375346598.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10ed000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 5e64a3af51d412b366878078b3e0f9c62a627fe7c514de2d79f98d2cc7c6614a
                                                                                                                                                                              • Instruction ID: 8fe5b33e647f47b7d816c2976e11385348b2acb86ead1c220054968708411f9c
                                                                                                                                                                              • Opcode Fuzzy Hash: 5e64a3af51d412b366878078b3e0f9c62a627fe7c514de2d79f98d2cc7c6614a
                                                                                                                                                                              • Instruction Fuzzy Hash: BA210071604300DFDB15DF94D888B26BFE1EB88314F28C5ADE88A0B242C336D456CB62
                                                                                                                                                                              Function 010ED006 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1375346598.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10ed000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 8e84cf7ce0cef1a4dc027f43f6de4f19abd34472253e9b4cdc986a4b2aa0b8bb
                                                                                                                                                                              • Instruction ID: 7bb730826b76a502b673cd159549ca92a9b72e0b443922a2dd385f6150df19b6
                                                                                                                                                                              • Opcode Fuzzy Hash: 8e84cf7ce0cef1a4dc027f43f6de4f19abd34472253e9b4cdc986a4b2aa0b8bb
                                                                                                                                                                              • Instruction Fuzzy Hash: C32195755093808FCB13CF64D594715BFB1EB46214F28C5DAD8898F667C33A980ACB62
                                                                                                                                                                              Function 010DD731 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1375267217.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10dd000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: f7d42ade5c4549658ff52ce76989d12ca1a7f62b905bfc41d847e29416520660
                                                                                                                                                                              • Instruction ID: bf5b03a610b8118807070ce10132ad6bfef2b5b67249f7e8e0a3f48be8ebe144
                                                                                                                                                                              • Opcode Fuzzy Hash: f7d42ade5c4549658ff52ce76989d12ca1a7f62b905bfc41d847e29416520660
                                                                                                                                                                              • Instruction Fuzzy Hash: 5A01A7310083849BE7544BA5CD84B6AFBD8FF41224F19C49AED894A1C2E6789844CB72
                                                                                                                                                                              Function 010DD730 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1375267217.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10dd000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: f51babc7c5da2655db861d13c138aeef0e3c83ed1b977d30432bf4d348a63c2d
                                                                                                                                                                              • Instruction ID: 2a3370a826962b39f299f49da17daa87f58e3af9879ec60751f1bcf410b48ffb
                                                                                                                                                                              • Opcode Fuzzy Hash: f51babc7c5da2655db861d13c138aeef0e3c83ed1b977d30432bf4d348a63c2d
                                                                                                                                                                              • Instruction Fuzzy Hash: ACF062714083849FE7548B1ADD84B66FFD8EB81734F18C59AED884F283D2799844CB71

                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                              Function 014C2BA8 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: Ea
                                                                                                                                                                              • API String ID: 0-3364303221
                                                                                                                                                                              • Opcode ID: 23d6c27b962450cf677978b867c8f693919cdf8a704deded5987e4e52b530083
                                                                                                                                                                              • Instruction ID: 82481cf8867fdf6ecb004f339392b9b68498914d6661818cdbf6fd523c486881
                                                                                                                                                                              • Opcode Fuzzy Hash: 23d6c27b962450cf677978b867c8f693919cdf8a704deded5987e4e52b530083
                                                                                                                                                                              • Instruction Fuzzy Hash: 3E41D335614606CFC794CE69D981A66BBF6FF84310B14C82FD05ADB664E2B4D945CB01
                                                                                                                                                                              Function 014C2BB8 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: Ea
                                                                                                                                                                              • API String ID: 0-3364303221
                                                                                                                                                                              • Opcode ID: 28567bb967bd3485023f0af3c24930d51f078e075858a1c1f7dea6389b48ccf7
                                                                                                                                                                              • Instruction ID: c04f75822a41137a67695d8d40aff096122f21f2b93dc5a1bb9684d7d2975935
                                                                                                                                                                              • Opcode Fuzzy Hash: 28567bb967bd3485023f0af3c24930d51f078e075858a1c1f7dea6389b48ccf7
                                                                                                                                                                              • Instruction Fuzzy Hash: 2E41D235710606CFC7A4CE69D985E6BBBF6FB84610B14C42FD01ADB664E2F4E981CB42
                                                                                                                                                                              Function 053C38E0 Relevance: .3, Instructions: 315COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1389320608.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_53c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: f79e527a23ffff0e23b7405020da46b6c5428a6c5d024ad50301e514575b1b0c
                                                                                                                                                                              • Instruction ID: 240e807bce8c3d70bdef31db7c3a40ac7ccd63824ecfa4ae1e35e4a87c96e689
                                                                                                                                                                              • Opcode Fuzzy Hash: f79e527a23ffff0e23b7405020da46b6c5428a6c5d024ad50301e514575b1b0c
                                                                                                                                                                              • Instruction Fuzzy Hash: 3D1250B0402B858AE730CF65E94C2893BB1BB85358B51830DD2666E3F9DBB8156BDF44
                                                                                                                                                                              Function 097FAEC0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1391038367.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_97f0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: ff99be9de23fdcec60a33974aaaf49b9e201431292a1d94c47a8e34c5e5d03c7
                                                                                                                                                                              • Instruction ID: 9480a94571cc3607471640f77bbe25b411cc4b0b9f39a83c6f5e3d03c79ebe7b
                                                                                                                                                                              • Opcode Fuzzy Hash: ff99be9de23fdcec60a33974aaaf49b9e201431292a1d94c47a8e34c5e5d03c7
                                                                                                                                                                              • Instruction Fuzzy Hash: 15E12775E002198FDB14DFA9C590AAEBBB2FF89301F248169D558BB356D730AD42CF60
                                                                                                                                                                              Function 053CE921 Relevance: .3, Instructions: 267COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1389320608.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_53c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 05afe6ff6a0670f28d76810f0a572ab69a2e111b6b90f94c174a48dc760e6954
                                                                                                                                                                              • Instruction ID: 742ac99e24a62cb881735d5fb45c6c58cd826568031d01f518aebb139d8cfb12
                                                                                                                                                                              • Opcode Fuzzy Hash: 05afe6ff6a0670f28d76810f0a572ab69a2e111b6b90f94c174a48dc760e6954
                                                                                                                                                                              • Instruction Fuzzy Hash: 42D1E63582075A8ACB10EBA5D9906DDB7B1FF99300F50D79AE0493B254EF70AAC4CF91
                                                                                                                                                                              Function 053CE930 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1389320608.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_53c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: f610c5d9aff57a0525ce36b1be7efb75654cb749dc3d353245bd7333ddfd1046
                                                                                                                                                                              • Instruction ID: 32fc9010d11e5c2b5a445f02a919743b5a4b9d6849eae9d44ebe81b9e4e03a5f
                                                                                                                                                                              • Opcode Fuzzy Hash: f610c5d9aff57a0525ce36b1be7efb75654cb749dc3d353245bd7333ddfd1046
                                                                                                                                                                              • Instruction Fuzzy Hash: 58D1E63582075A8ACB10EBA5D9906DDB7B1FF99300F50D79AE0493B254EF70AAC4CF91
                                                                                                                                                                              Function 053C12C4 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1389320608.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_53c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 798d02dad383ed348f9ba178abf684646eee27061964134a2aef778549540ca3
                                                                                                                                                                              • Instruction ID: 1ba1fbf9a4eb7363cbdcabad684b2c0d7a096383437989b8e1926852b146a0a0
                                                                                                                                                                              • Opcode Fuzzy Hash: 798d02dad383ed348f9ba178abf684646eee27061964134a2aef778549540ca3
                                                                                                                                                                              • Instruction Fuzzy Hash: CFA17D36E006098FCF15DFB4C84459EBBB2FF85304B1545AEE806AB225DB71ED55CB90
                                                                                                                                                                              Function 053C38D0 Relevance: .2, Instructions: 226COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1389320608.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_53c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 465fdb93569af59ec448e8a73d65fc072f75870a63a0a28c9e62295475d503f3
                                                                                                                                                                              • Instruction ID: d96686e9eabc1270c3bfd21e85e3d7fd02314b63b45716db3af586b54440857d
                                                                                                                                                                              • Opcode Fuzzy Hash: 465fdb93569af59ec448e8a73d65fc072f75870a63a0a28c9e62295475d503f3
                                                                                                                                                                              • Instruction Fuzzy Hash: E9C1C6B0812B858BE720DF65E8482897BB1BB85324F51830DD2626F3F9DBB4146BDF54
                                                                                                                                                                              Function 014C3600 Relevance: .2, Instructions: 194COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 236de53cbc18e63c20d09c8795f2d057482add221f092a5cd6de84d33e801ebc
                                                                                                                                                                              • Instruction ID: 32840914dc629ffe93a7484695e942e724bf98648e144a3bcf023431a986ee63
                                                                                                                                                                              • Opcode Fuzzy Hash: 236de53cbc18e63c20d09c8795f2d057482add221f092a5cd6de84d33e801ebc
                                                                                                                                                                              • Instruction Fuzzy Hash: 3B71DF75F1420A8FCBA4CF59C9855AEFBF1BB88610F55C12BD509EB361D234DA02CB92
                                                                                                                                                                              Function 014C3719 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 955e00946eebc4733d883dca4334fd0651a7fb64ad6bfcad734a089e7a0b328b
                                                                                                                                                                              • Instruction ID: 910a182a767f9c88f853d5b5d65d38e4e23d4b3ad0706dfd614d617fcec5178e
                                                                                                                                                                              • Opcode Fuzzy Hash: 955e00946eebc4733d883dca4334fd0651a7fb64ad6bfcad734a089e7a0b328b
                                                                                                                                                                              • Instruction Fuzzy Hash: CF416F79F152098FCB80CF59C9855AEBBF6BF89A10B15C12BE915EB361C234D901CF91
                                                                                                                                                                              Function 014C309D Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 323d1ed295eeb3e05c7c8ee24b71f333ec1f9dc5e4ed1c1b48198f64b7ee628d
                                                                                                                                                                              • Instruction ID: 200212385f2f4da89cfb8a6c0967f53fba91ef78c0fef31cdab4f2f91d936807
                                                                                                                                                                              • Opcode Fuzzy Hash: 323d1ed295eeb3e05c7c8ee24b71f333ec1f9dc5e4ed1c1b48198f64b7ee628d
                                                                                                                                                                              • Instruction Fuzzy Hash: 8431F235A083818FC759CF28D94166ABFB2FB81610B2586AFD045CF657CB31DA0ACB81
                                                                                                                                                                              Function 014C3167 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 601e9e4ea5a222c0038f18e444b7b7aa3dde301943285332b9e3f43f0879ca72
                                                                                                                                                                              • Instruction ID: 676db6a7ad9a3825a0a829c404bfb7ccdd3edb4215401f5a725c811ecacc9bcd
                                                                                                                                                                              • Opcode Fuzzy Hash: 601e9e4ea5a222c0038f18e444b7b7aa3dde301943285332b9e3f43f0879ca72
                                                                                                                                                                              • Instruction Fuzzy Hash: FC31D235A083818FC759CF78D94166A7FB2FB81614B1989AFD041DF663DB71CA0AC782
                                                                                                                                                                              Function 014C35F0 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1376387390.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_14c0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 213bf92e92e94361ad589c58b1ebc615d515a57c096e364a6637f79390262e70
                                                                                                                                                                              • Instruction ID: 9bff8bc79e520e65aeaf985a9261aef48b2c4887732ba33e353d44e3857e7c63
                                                                                                                                                                              • Opcode Fuzzy Hash: 213bf92e92e94361ad589c58b1ebc615d515a57c096e364a6637f79390262e70
                                                                                                                                                                              • Instruction Fuzzy Hash: 99212731F041068BCBA8CE59C9815BFFBB5BB90610F12C12BD409EB361D375DE428B91

                                                                                                                                                                              Execution Graph

                                                                                                                                                                              Execution Coverage:8.8%
                                                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                              Signature Coverage:0%
                                                                                                                                                                              Total number of Nodes:82
                                                                                                                                                                              Total number of Limit Nodes:6
                                                                                                                                                                              execution_graph 27857 dbd0b8 27858 dbd0fe 27857->27858 27862 dbd289 27858->27862 27865 dbd298 27858->27865 27859 dbd1eb 27864 dbd2c6 27862->27864 27868 dbc9a0 27862->27868 27864->27859 27866 dbc9a0 DuplicateHandle 27865->27866 27867 dbd2c6 27866->27867 27867->27859 27869 dbd300 DuplicateHandle 27868->27869 27870 dbd396 27869->27870 27870->27864 27871 dbad38 27872 dbad3c 27871->27872 27876 dbae30 27872->27876 27881 dbae20 27872->27881 27873 dbad47 27878 dbae34 27876->27878 27877 dbae64 27877->27873 27878->27877 27879 dbb068 GetModuleHandleW 27878->27879 27880 dbb095 27879->27880 27880->27873 27883 dbae34 27881->27883 27882 dbae64 27882->27873 27883->27882 27884 dbb068 GetModuleHandleW 27883->27884 27885 dbb095 27884->27885 27885->27873 27886 db4668 27887 db4684 27886->27887 27888 db4696 27887->27888 27890 db47a0 27887->27890 27891 db47c5 27890->27891 27895 db48a1 27891->27895 27899 db48b0 27891->27899 27897 db48b0 27895->27897 27896 db49b4 27896->27896 27897->27896 27903 db4248 27897->27903 27900 db48d7 27899->27900 27901 db4248 CreateActCtxA 27900->27901 27902 db49b4 27900->27902 27901->27902 27904 db5940 CreateActCtxA 27903->27904 27906 db5a03 27904->27906 27907 cad01c 27908 cad034 27907->27908 27909 cad08e 27908->27909 27912 4f60ad4 27908->27912 27921 4f62c08 27908->27921 27913 4f60adf 27912->27913 27914 4f62c79 27913->27914 27916 4f62c69 27913->27916 27946 4f60bfc 27914->27946 27930 4f62e6c 27916->27930 27936 4f62d90 27916->27936 27941 4f62da0 27916->27941 27917 4f62c77 27917->27917 27924 4f62c45 27921->27924 27922 4f62c79 27923 4f60bfc CallWindowProcW 27922->27923 27926 4f62c77 27923->27926 27924->27922 27925 4f62c69 27924->27925 27927 4f62da0 CallWindowProcW 27925->27927 27928 4f62d90 CallWindowProcW 27925->27928 27929 4f62e6c CallWindowProcW 27925->27929 27926->27926 27927->27926 27928->27926 27929->27926 27931 4f62e7a 27930->27931 27932 4f62e2a 27930->27932 27950 4f62e58 27932->27950 27953 4f62e48 27932->27953 27933 4f62e40 27933->27917 27938 4f62db4 27936->27938 27937 4f62e40 27937->27917 27939 4f62e58 CallWindowProcW 27938->27939 27940 4f62e48 CallWindowProcW 27938->27940 27939->27937 27940->27937 27943 4f62db4 27941->27943 27942 4f62e40 27942->27917 27944 4f62e58 CallWindowProcW 27943->27944 27945 4f62e48 CallWindowProcW 27943->27945 27944->27942 27945->27942 27947 4f60c07 27946->27947 27948 4f6435a CallWindowProcW 27947->27948 27949 4f64309 27947->27949 27948->27949 27949->27917 27951 4f62e69 27950->27951 27956 4f642a0 27950->27956 27951->27933 27954 4f642a0 CallWindowProcW 27953->27954 27955 4f62e69 27953->27955 27954->27955 27955->27933 27957 4f60bfc CallWindowProcW 27956->27957 27958 4f642aa 27957->27958 27958->27951

                                                                                                                                                                              Executed Functions

                                                                                                                                                                              Function 00DBAE30 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 100 dbae30-dbae3f 102 dbae6b-dbae6f 100->102 103 dbae41-dbae4e call db9838 100->103 105 dbae83-dbaec4 102->105 106 dbae71-dbae7b 102->106 109 dbae50 103->109 110 dbae64 103->110 112 dbaed1-dbaedf 105->112 113 dbaec6-dbaece 105->113 106->105 158 dbae56 call dbb0c8 109->158 159 dbae56 call dbb0b8 109->159 110->102 114 dbaf03-dbaf05 112->114 115 dbaee1-dbaee6 112->115 113->112 120 dbaf08-dbaf0f 114->120 117 dbaee8-dbaeef call dba814 115->117 118 dbaef1 115->118 116 dbae5c-dbae5e 116->110 119 dbafa0-dbafb7 116->119 122 dbaef3-dbaf01 117->122 118->122 134 dbafb9-dbb018 119->134 123 dbaf1c-dbaf23 120->123 124 dbaf11-dbaf19 120->124 122->120 125 dbaf30-dbaf39 call dba824 123->125 126 dbaf25-dbaf2d 123->126 124->123 132 dbaf3b-dbaf43 125->132 133 dbaf46-dbaf4b 125->133 126->125 132->133 135 dbaf69-dbaf76 133->135 136 dbaf4d-dbaf54 133->136 152 dbb01a-dbb060 134->152 143 dbaf99-dbaf9f 135->143 144 dbaf78-dbaf96 135->144 136->135 137 dbaf56-dbaf66 call dba834 call dba844 136->137 137->135 144->143 153 dbb068-dbb093 GetModuleHandleW 152->153 154 dbb062-dbb065 152->154 155 dbb09c-dbb0b0 153->155 156 dbb095-dbb09b 153->156 154->153 156->155 158->116 159->116
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00DBB086
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2610631552.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_db0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                                              • Opcode ID: 7ee5b5dfcfa98baab3e27d71a7f21c8fac747bee5594ac67925279236424fcf6
                                                                                                                                                                              • Instruction ID: 5297efa0f21ad9ded28d5330b14ae79741954e7d7ff5bcb5f0b6031a189df16e
                                                                                                                                                                              • Opcode Fuzzy Hash: 7ee5b5dfcfa98baab3e27d71a7f21c8fac747bee5594ac67925279236424fcf6
                                                                                                                                                                              • Instruction Fuzzy Hash: 467136B0A00B05CFDB24DF2AD0457AAB7F1FF88314F04892DE48A97A40D775E946CBA1
                                                                                                                                                                              Function 00DB5935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 160 db5935-db593b 161 db5944-db5a01 CreateActCtxA 160->161 163 db5a0a-db5a64 161->163 164 db5a03-db5a09 161->164 171 db5a73-db5a77 163->171 172 db5a66-db5a69 163->172 164->163 173 db5a79-db5a85 171->173 174 db5a88 171->174 172->171 173->174 176 db5a89 174->176 176->176
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 00DB59F1
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2610631552.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_db0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Create
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                              • Opcode ID: cc3a4e643f93a0919ed5251ddf1d942c917845999af02d06370e3eac8a38f771
                                                                                                                                                                              • Instruction ID: d6e5984a557db3f04c3f4cc4fd39322c80823a39cda7f76f19d1aed7a927c3f9
                                                                                                                                                                              • Opcode Fuzzy Hash: cc3a4e643f93a0919ed5251ddf1d942c917845999af02d06370e3eac8a38f771
                                                                                                                                                                              • Instruction Fuzzy Hash: 0D41EFB0C00719CBDB24CFAAC884BDDBBB5BF48304F24816AD419BB255DBB56986CF50
                                                                                                                                                                              Function 04F60BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 177 4f60bfc-4f642fc 180 4f64302-4f64307 177->180 181 4f643ac-4f643cc call 4f60ad4 177->181 183 4f6435a-4f64392 CallWindowProcW 180->183 184 4f64309-4f64340 180->184 188 4f643cf-4f643dc 181->188 185 4f64394-4f6439a 183->185 186 4f6439b-4f643aa 183->186 191 4f64342-4f64348 184->191 192 4f64349-4f64358 184->192 185->186 186->188 191->192 192->188
                                                                                                                                                                              APIs
                                                                                                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 04F64381
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2612824498.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_4f60000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CallProcWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2714655100-0
                                                                                                                                                                              • Opcode ID: edcccdf0b53221d9593c2b1f55132f54743d0fb67310b2b824173877ba2c0e01
                                                                                                                                                                              • Instruction ID: 9bc5c04b0f5fd6347eb1679505e928f3632882e1851fb5b8e5b965cb3514d6b1
                                                                                                                                                                              • Opcode Fuzzy Hash: edcccdf0b53221d9593c2b1f55132f54743d0fb67310b2b824173877ba2c0e01
                                                                                                                                                                              • Instruction Fuzzy Hash: FE415AB4A00305DFDB14DF9AC449AAABBF5FF88314F248558E519AB321D375A841CBA4
                                                                                                                                                                              Function 00DB4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 194 db4248-db5a01 CreateActCtxA 197 db5a0a-db5a64 194->197 198 db5a03-db5a09 194->198 205 db5a73-db5a77 197->205 206 db5a66-db5a69 197->206 198->197 207 db5a79-db5a85 205->207 208 db5a88 205->208 206->205 207->208 210 db5a89 208->210 210->210
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 00DB59F1
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2610631552.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_db0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Create
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                              • Opcode ID: 683ac73a0c510ccceff100a96a18eea5b5a2473245ca46bd6528f3107598ffe9
                                                                                                                                                                              • Instruction ID: e7d9ea4f1a3725102440984ceabaa63eb07612b2f47fe0af117e26bf0387d627
                                                                                                                                                                              • Opcode Fuzzy Hash: 683ac73a0c510ccceff100a96a18eea5b5a2473245ca46bd6528f3107598ffe9
                                                                                                                                                                              • Instruction Fuzzy Hash: 0F41C1B0C00719CBDB24CFAAC884BDDBBB5BF48304F20816AD409BB255DBB56945CFA0
                                                                                                                                                                              Function 00DBC9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 211 dbc9a0-dbd394 DuplicateHandle 213 dbd39d-dbd3ba 211->213 214 dbd396-dbd39c 211->214 214->213
                                                                                                                                                                              APIs
                                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00DBD2C6,?,?,?,?,?), ref: 00DBD387
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2610631552.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_db0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                                              • Opcode ID: b50d7c90f94951cf9eea568f6a8491edf36d52cfcbc16128c18c2f185245dfb4
                                                                                                                                                                              • Instruction ID: f82a10873160aaf40dabe19ac1a61511fee8ccc0a277180063756c2adf06ba89
                                                                                                                                                                              • Opcode Fuzzy Hash: b50d7c90f94951cf9eea568f6a8491edf36d52cfcbc16128c18c2f185245dfb4
                                                                                                                                                                              • Instruction Fuzzy Hash: 0E2114B5900308DFDB10CF9AD884BEEBBF5EB48310F24802AE959A3311D374A950CFA5
                                                                                                                                                                              Function 00DBD2F9 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 217 dbd2f9-dbd394 DuplicateHandle 218 dbd39d-dbd3ba 217->218 219 dbd396-dbd39c 217->219 219->218
                                                                                                                                                                              APIs
                                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00DBD2C6,?,?,?,?,?), ref: 00DBD387
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2610631552.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_db0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                                              • Opcode ID: 6cc9274909ac1abaa3d396598ab29a954d6a19bd49dedee199f5e06a787e00b2
                                                                                                                                                                              • Instruction ID: 1480cdbf99926d1fdd599a4fcc2d2bd4bd1ebdad0164b98fbaf55f2accc56626
                                                                                                                                                                              • Opcode Fuzzy Hash: 6cc9274909ac1abaa3d396598ab29a954d6a19bd49dedee199f5e06a787e00b2
                                                                                                                                                                              • Instruction Fuzzy Hash: BF2114B5D00209DFDB10CF9AD484AEEBBF5EB48310F14802AE958A3311D374A941CFA1
                                                                                                                                                                              Function 00DBB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 222 dbb020-dbb060 223 dbb068-dbb093 GetModuleHandleW 222->223 224 dbb062-dbb065 222->224 225 dbb09c-dbb0b0 223->225 226 dbb095-dbb09b 223->226 224->223 226->225
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00DBB086
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2610631552.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_db0000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                                              • Opcode ID: cb884891a01f8d36c815af3a3ac2783a87ac98ad601092dcfaec30c2783ea45e
                                                                                                                                                                              • Instruction ID: c5c0ad1954f094d0933c096273abc7b91e98cb8adff6c3a3321a4c313aad23d5
                                                                                                                                                                              • Opcode Fuzzy Hash: cb884891a01f8d36c815af3a3ac2783a87ac98ad601092dcfaec30c2783ea45e
                                                                                                                                                                              • Instruction Fuzzy Hash: 4911D2B5C00749CFDB10DF9AC444BDEFBF4AB49720F14842AD469A7210D3B5A545CFA5
                                                                                                                                                                              Function 00C9D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2610289876.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c9d000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: d57cad10222b630038222c9573916ca0489261385cf1555e3be2d64d280d4ae3
                                                                                                                                                                              • Instruction ID: a2e8b18e5e9a173a7040635f84f56191c0eda5eb209bb24015a360f29c6437d9
                                                                                                                                                                              • Opcode Fuzzy Hash: d57cad10222b630038222c9573916ca0489261385cf1555e3be2d64d280d4ae3
                                                                                                                                                                              • Instruction Fuzzy Hash: 172134B2504240DFDF05DF14D9C8B26BF65FB88318F20C5A9E80A2B256C336D956CBA2
                                                                                                                                                                              Function 00CAD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2610363728.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_cad000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 03eede6a41a0a2e339f232b04a01d5e505a30ebdd3cfd846d560112733202212
                                                                                                                                                                              • Instruction ID: 28a6b28c5e204c39d71fe9fd6dfa1af817c3c18108d779c9fa72cc8fe9556e5f
                                                                                                                                                                              • Opcode Fuzzy Hash: 03eede6a41a0a2e339f232b04a01d5e505a30ebdd3cfd846d560112733202212
                                                                                                                                                                              • Instruction Fuzzy Hash: 20212271604300DFDB14DF20D9C0B26BB61EB89318F20C56DE84B4B692C336D847CA62
                                                                                                                                                                              Function 00CAD005 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2610363728.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_cad000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: e9c1f31da349c7bc78c0fa1a4571f2439c43f52fceef1ca74a7975c085dfcbd6
                                                                                                                                                                              • Instruction ID: 63b66c200be683c28e994a680ce333186d37ec51d8b0ebed6e3a08a3f3983f52
                                                                                                                                                                              • Opcode Fuzzy Hash: e9c1f31da349c7bc78c0fa1a4571f2439c43f52fceef1ca74a7975c085dfcbd6
                                                                                                                                                                              • Instruction Fuzzy Hash: 4E2165755093C08FCB12CF24D594715BF71EB46318F28C5EAD84A8F6A7C33A994ACB62
                                                                                                                                                                              Function 00C9D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2610289876.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c9d000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                                                                                                                                                              • Instruction ID: 7aa8f25d31fa1bade58038e36f88430d56fdc5e60a2797958af9877c7eb6ebee
                                                                                                                                                                              • Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                                                                                                                                                              • Instruction Fuzzy Hash: 7A11E6B6504280CFCF15CF10D5C4B16BF71FB94318F24C6A9D84A5B656C336D95ACBA1
                                                                                                                                                                              Function 00C9D5F3 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2610289876.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c9d000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: c6ff853644d847c87eb2deba326a4cb94a630325f1015a9c416fbe4a3720a973
                                                                                                                                                                              • Instruction ID: 1ef66db8608b0cd243bec4a83f82cd236a522f1a4aab2d0564339c21a0fa60f3
                                                                                                                                                                              • Opcode Fuzzy Hash: c6ff853644d847c87eb2deba326a4cb94a630325f1015a9c416fbe4a3720a973
                                                                                                                                                                              • Instruction Fuzzy Hash: 96F0F976200600AF97208F0AD884C27FBADEBD4770719C55AFC4A5B612C772EC42DEA0
                                                                                                                                                                              Function 00C9D5E4 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2610289876.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c9d000_5tCuNr661k.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: a47826dec875aa32b292cce276166373ae3c3920f0d43ea52e7c4f920722e975
                                                                                                                                                                              • Instruction ID: ae8d3484ad18c08779a5d71de752038c0f716f672ac91119e7a080272f88c232
                                                                                                                                                                              • Opcode Fuzzy Hash: a47826dec875aa32b292cce276166373ae3c3920f0d43ea52e7c4f920722e975
                                                                                                                                                                              • Instruction Fuzzy Hash: B7F03C75104A80AFD7158F06C884C22BFB9EF897607198589F89A5B262C671FC42DB60