Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5tCuNr661k.exe

Overview

General Information

Sample name:5tCuNr661k.exe
renamed because original name is a hash value
Original sample name:309621355c48f1d8b77d4df0cfb99a32dbd0ab78f234b6c12934d9f3a1503af8.exe
Analysis ID:1588744
MD5:12dea314db7aa2b97f2c43a4081d4f66
SHA1:67c73c5207f877ca7a075f38ff32acb4129ecf17
SHA256:309621355c48f1d8b77d4df0cfb99a32dbd0ab78f234b6c12934d9f3a1503af8
Tags:exeRedLineStealeruser-adrian__luca
Infos:

Detection

RedLine
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 5tCuNr661k.exe (PID: 2516 cmdline: "C:\Users\user\Desktop\5tCuNr661k.exe" MD5: 12DEA314DB7AA2B97F2C43A4081D4F66)
    • 5tCuNr661k.exe (PID: 6204 cmdline: "C:\Users\user\Desktop\5tCuNr661k.exe" MD5: 12DEA314DB7AA2B97F2C43A4081D4F66)
    • 5tCuNr661k.exe (PID: 5560 cmdline: "C:\Users\user\Desktop\5tCuNr661k.exe" MD5: 12DEA314DB7AA2B97F2C43A4081D4F66)
    • 5tCuNr661k.exe (PID: 1732 cmdline: "C:\Users\user\Desktop\5tCuNr661k.exe" MD5: 12DEA314DB7AA2B97F2C43A4081D4F66)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["87.120.120.86:1912"], "Bot Id": "LOGS", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2215475353.00000000048A4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000006.00000002.3899912805.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.2215475353.00000000048EF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.2215475353.0000000004501000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Process Memory Space: 5tCuNr661k.exe PID: 2516JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.5tCuNr661k.exe.48bb800.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.2.5tCuNr661k.exe.48bb800.1.raw.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
              • 0x24cc3:$gen01: ChromeGetRoamingName
              • 0x24ce8:$gen02: ChromeGetLocalName
              • 0x24d2b:$gen03: get_UserDomainName
              • 0x28bc4:$gen04: get_encrypted_key
              • 0x27943:$gen05: browserPaths
              • 0x27c19:$gen06: GetBrowsers
              • 0x27501:$gen07: get_InstalledInputLanguages
              • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
              • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
              • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
              • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
              • 0x296be:$spe9: *wallet*
              • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
              • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
              • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
              • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
              • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
              • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
              • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
              • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
              0.2.5tCuNr661k.exe.48705e0.3.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.5tCuNr661k.exe.48705e0.3.raw.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
                • 0x24cc3:$gen01: ChromeGetRoamingName
                • 0x24ce8:$gen02: ChromeGetLocalName
                • 0x24d2b:$gen03: get_UserDomainName
                • 0x28bc4:$gen04: get_encrypted_key
                • 0x27943:$gen05: browserPaths
                • 0x27c19:$gen06: GetBrowsers
                • 0x27501:$gen07: get_InstalledInputLanguages
                • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
                • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
                • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
                • 0x296be:$spe9: *wallet*
                • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
                • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
                • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
                • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
                • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
                • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
                • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
                • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
                6.2.5tCuNr661k.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 9 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000000.00000002.2215475353.00000000048A4000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": ["87.120.120.86:1912"], "Bot Id": "LOGS", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                  Multi AV Scanner detection for submitted file
                  Source: 5tCuNr661k.exeVirustotal: Detection: 71%Perma Link
                  Source: 5tCuNr661k.exeReversingLabs: Detection: 60%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: 5tCuNr661k.exeJoe Sandbox ML: detected
                  Source: 5tCuNr661k.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 5tCuNr661k.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: 5tCuNr661k.exe, 00000006.00000002.3900253602.0000000000D57000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: 5tCuNr661k.exe, 00000006.00000002.3900253602.0000000000D57000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32d source: 5tCuNr661k.exe, 00000006.00000002.3900253602.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdbr source: 5tCuNr661k.exe, 00000006.00000002.3900253602.0000000000D57000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbze source: 5tCuNr661k.exe, 00000006.00000002.3900253602.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: 5tCuNr661k.exe, 00000006.00000002.3900253602.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: 5tCuNr661k.exe, 00000006.00000002.3900253602.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 87.120.120.86:1912
                  Source: global trafficTCP traffic: 192.168.2.5:49713 -> 87.120.120.86:1912
                  Source: Joe Sandbox ViewIP Address: 87.120.120.86 87.120.120.86
                  Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: 5tCuNr661k.exe, 00000000.00000002.2214479993.0000000002CC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://localhost/arkanoid_server/requests.php
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9LR
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/x
                  Source: 5tCuNr661k.exe, 00000000.00000002.2215475353.00000000048A4000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000000.00000002.2215475353.0000000004501000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000000.00000002.2215475353.00000000048EF000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3899912805.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.5tCuNr661k.exe.48bb800.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.5tCuNr661k.exe.48705e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 6.2.5tCuNr661k.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.5tCuNr661k.exe.48bb800.1.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.5tCuNr661k.exe.48705e0.3.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.5tCuNr661k.exe.47e0fc0.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.5tCuNr661k.exe.47519a0.4.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F22C80_2_011F22C8
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F74080_2_011F7408
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011FA54A0_2_011FA54A
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F094A0_2_011F094A
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F097E0_2_011F097E
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F09AB0_2_011F09AB
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F09DF0_2_011F09DF
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F08CE0_2_011F08CE
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F08FF0_2_011F08FF
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F0B1B0_2_011F0B1B
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F0B9F0_2_011F0B9F
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F2BB80_2_011F2BB8
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F2BA80_2_011F2BA8
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F0BD30_2_011F0BD3
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F0A0C0_2_011F0A0C
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F0A410_2_011F0A41
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F0A8D0_2_011F0A8D
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F0D670_2_011F0D67
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F0C990_2_011F0C99
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F0CCD0_2_011F0CCD
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F0E040_2_011F0E04
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F0EAB0_2_011F0EAB
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F35F00_2_011F35F0
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F36000_2_011F3600
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F1B4B0_2_011F1B4B
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F1BA30_2_011F1BA3
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F1A450_2_011F1A45
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F1A710_2_011F1A71
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F1C450_2_011F1C45
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F1FFE0_2_011F1FFE
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F1FE90_2_011F1FE9
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F1E0A0_2_011F1E0A
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_011F1EFA0_2_011F1EFA
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_05389AA00_2_05389AA0
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_0538E9300_2_0538E930
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_0538E8F80_2_0538E8F8
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_053812C40_2_053812C4
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_053838E00_2_053838E0
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_053838D00_2_053838D0
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_05389A470_2_05389A47
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 0_2_05389A900_2_05389A90
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeCode function: 6_2_0116DC746_2_0116DC74
                  Source: 5tCuNr661k.exe, 00000000.00000002.2215475353.000000000493A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exe, 00000000.00000002.2215475353.00000000048A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exe, 00000000.00000000.2050990544.00000000009A8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamekKCN.exe0 vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exe, 00000000.00000002.2214479993.0000000002CC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exe, 00000000.00000002.2215475353.0000000004501000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exe, 00000000.00000002.2220825674.0000000007910000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exe, 00000000.00000002.2222847125.0000000009A00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exe, 00000000.00000002.2215475353.00000000044C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exe, 00000000.00000002.2215475353.00000000048EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exe, 00000000.00000002.2213639086.0000000000FBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exe, 00000006.00000002.3899912805.0000000000446000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exeBinary or memory string: OriginalFilenamekKCN.exe0 vs 5tCuNr661k.exe
                  Source: 5tCuNr661k.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.5tCuNr661k.exe.48bb800.1.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.5tCuNr661k.exe.48705e0.3.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 6.2.5tCuNr661k.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.5tCuNr661k.exe.48bb800.1.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.5tCuNr661k.exe.48705e0.3.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.5tCuNr661k.exe.47e0fc0.0.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.5tCuNr661k.exe.47519a0.4.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 5tCuNr661k.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal92.troj.evad.winEXE@7/1@0/1
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5tCuNr661k.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMutant created: NULL
                  Source: 5tCuNr661k.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 5tCuNr661k.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 5tCuNr661k.exeVirustotal: Detection: 71%
                  Source: 5tCuNr661k.exeReversingLabs: Detection: 60%
                  Source: unknownProcess created: C:\Users\user\Desktop\5tCuNr661k.exe "C:\Users\user\Desktop\5tCuNr661k.exe"
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess created: C:\Users\user\Desktop\5tCuNr661k.exe "C:\Users\user\Desktop\5tCuNr661k.exe"
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess created: C:\Users\user\Desktop\5tCuNr661k.exe "C:\Users\user\Desktop\5tCuNr661k.exe"
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess created: C:\Users\user\Desktop\5tCuNr661k.exe "C:\Users\user\Desktop\5tCuNr661k.exe"
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess created: C:\Users\user\Desktop\5tCuNr661k.exe "C:\Users\user\Desktop\5tCuNr661k.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess created: C:\Users\user\Desktop\5tCuNr661k.exe "C:\Users\user\Desktop\5tCuNr661k.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess created: C:\Users\user\Desktop\5tCuNr661k.exe "C:\Users\user\Desktop\5tCuNr661k.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: iconcodecservice.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: 5tCuNr661k.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 5tCuNr661k.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: 5tCuNr661k.exe, 00000006.00000002.3900253602.0000000000D57000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: 5tCuNr661k.exe, 00000006.00000002.3900253602.0000000000D57000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32d source: 5tCuNr661k.exe, 00000006.00000002.3900253602.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdbr source: 5tCuNr661k.exe, 00000006.00000002.3900253602.0000000000D57000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbze source: 5tCuNr661k.exe, 00000006.00000002.3900253602.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: 5tCuNr661k.exe, 00000006.00000002.3900253602.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: 5tCuNr661k.exe, 00000006.00000002.3900253602.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp
                  Source: 5tCuNr661k.exeStatic PE information: section name: .text entropy: 7.784152143328839
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: 5tCuNr661k.exe PID: 2516, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: 11F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: 2CC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: 4CC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: 53A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: 63A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: 64D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: 74D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: A0E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: B0E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: B570000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: C570000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: 1160000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: 2A50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: 2940000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exe TID: 6512Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exe TID: 4088Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: 5tCuNr661k.exe, 00000006.00000002.3900253602.0000000000D8B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess created: C:\Users\user\Desktop\5tCuNr661k.exe "C:\Users\user\Desktop\5tCuNr661k.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess created: C:\Users\user\Desktop\5tCuNr661k.exe "C:\Users\user\Desktop\5tCuNr661k.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeProcess created: C:\Users\user\Desktop\5tCuNr661k.exe "C:\Users\user\Desktop\5tCuNr661k.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Users\user\Desktop\5tCuNr661k.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Users\user\Desktop\5tCuNr661k.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5tCuNr661k.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.48bb800.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.48705e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.5tCuNr661k.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.48bb800.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.48705e0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.47e0fc0.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.47519a0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2215475353.00000000048A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3899912805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2215475353.00000000048EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2215475353.0000000004501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 5tCuNr661k.exe PID: 2516, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 5tCuNr661k.exe PID: 1732, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.48bb800.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.48705e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.5tCuNr661k.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.48bb800.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.48705e0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.47e0fc0.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5tCuNr661k.exe.47519a0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2215475353.00000000048A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3899912805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2215475353.00000000048EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2215475353.0000000004501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 5tCuNr661k.exe PID: 2516, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 5tCuNr661k.exe PID: 1732, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                  DLL Side-Loading                  		11
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping1
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                  Virtualization/Sandbox Evasion                  		Security Account Manager31
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                  Process Injection                  		NTDS12
                  System Information Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Obfuscated Files or Information                  		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Software Packing                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  5tCuNr661k.exe71%VirustotalBrowse
                  5tCuNr661k.exe61%ReversingLabsWin32.Trojan.Jalapeno
                  5tCuNr661k.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  87.120.120.86:1912false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://tempuri.org/Entity/Id10Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://tempuri.org/Entity/Id24LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://tempuri.org/Entity/Id8Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id22LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id20LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id12Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/soap/envelope/5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id2Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id21Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id19LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id23Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id17LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id15LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id9LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id19Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id13LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id7LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://tempuri.org/Entity/Id11LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/fault5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id17Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/Entity/Id1LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id5LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id20Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id3LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id15Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id13Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id4Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id6Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://api.ip.sb/ip5tCuNr661k.exe, 00000000.00000002.2215475353.00000000048A4000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000000.00000002.2215475353.0000000004501000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000000.00000002.2215475353.00000000048EF000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3899912805.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id23LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id7Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id21LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/x5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/Entity/Id11Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Entity/Id9Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://tempuri.org/Entity/Id22Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id24Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id1Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id18LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id16LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id8LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id14LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id6LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id18Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id12LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://tempuri.org/Entity/Id10LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id4LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://tempuri.org/Entity/Id2LR5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rmX5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://tempuri.org/Entity/Id3Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://localhost/arkanoid_server/requests.php5tCuNr661k.exe, 00000000.00000002.2214479993.0000000002CC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://tempuri.org/Entity/Id16Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://tempuri.org/Entity/Id5Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/soap/actor/next5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://tempuri.org/Entity/Id14Response5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, 5tCuNr661k.exe, 00000006.00000002.3901161994.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high

                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                        Public IPs

                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                        87.120.120.86
                                                                                                                                                        		unknownBulgaria
                                                                                                                                                        		25206UNACS-AS-BG8000BurgasBGtrue

                                                                                                                                                        General Information

                                                                                                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                        Analysis ID:1588744
                                                                                                                                                        Start date and time:2025-01-11 05:01:50 +01:00
                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                        Overall analysis duration:0h 5m 52s
                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                        Report type:full
                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                        Run name:Run with higher sleep bypass
                                                                                                                                                        Number of analysed new started processes analysed:8
                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                        Technologies:
                                                                                                                                                        • HCA enabled
                                                                                                                                                        • EGA enabled
                                                                                                                                                        • AMSI enabled
                                                                                                                                                        Analysis Mode:default
                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                        Sample name:5tCuNr661k.exe
                                                                                                                                                        renamed because original name is a hash value
                                                                                                                                                        Original Sample Name:309621355c48f1d8b77d4df0cfb99a32dbd0ab78f234b6c12934d9f3a1503af8.exe
                                                                                                                                                        Detection:MAL
                                                                                                                                                        Classification:mal92.troj.evad.winEXE@7/1@0/1
                                                                                                                                                        EGA Information:
                                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                                        HCA Information:
                                                                                                                                                        • Successful, ratio: 96%
                                                                                                                                                        • Number of executed functions: 63
                                                                                                                                                        • Number of non-executed functions: 9
                                                                                                                                                        Cookbook Comments:
                                                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                                                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                                                        • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                                                                                        Warnings

                                                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 2.23.242.162, 20.12.23.50, 13.107.246.45
                                                                                                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                        Simulations

                                                                                                                                                        Behavior and APIs

                                                                                                                                                        No simulations

                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                        IPs

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        87.120.120.86shaLnqmyTS.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                          shaLnqmyTS.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                            zAGUEDGSTM.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                              C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                  VmoLw6EKj5.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                    Xf3rn1smZw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                      2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                        2eRd5imEKU.exeGet hashmaliciousRedLineBrowse

                                                                                                                                                                          Domains

                                                                                                                                                                          No context

                                                                                                                                                                          ASNs

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          UNACS-AS-BG8000BurgasBGshaLnqmyTS.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                          • 87.120.120.86
                                                                                                                                                                          shaLnqmyTS.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                          • 87.120.120.86
                                                                                                                                                                          zAGUEDGSTM.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                          • 87.120.120.86
                                                                                                                                                                          WtZl31OLfA.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                          • 87.120.116.187
                                                                                                                                                                          C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                          • 87.120.120.86
                                                                                                                                                                          C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                          • 87.120.120.86
                                                                                                                                                                          2XnMqJW0u1.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                          • 87.120.120.15
                                                                                                                                                                          VmoLw6EKj5.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                          • 87.120.120.86
                                                                                                                                                                          QwMcsmYcxv.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                                                                                                                                          • 87.120.120.15

                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                          No context

                                                                                                                                                                          Dropped Files

                                                                                                                                                                          No context

                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5tCuNr661k.exe.log

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\5tCuNr661k.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1216
                                                                                                                                                                          Entropy (8bit):5.34331486778365
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                          Static File Info

                                                                                                                                                                          General

                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                          Entropy (8bit):7.630688730462622
                                                                                                                                                                          TrID:
                                                                                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                          File name:5tCuNr661k.exe
                                                                                                                                                                          File size:877'568 bytes
                                                                                                                                                                          MD5:12dea314db7aa2b97f2c43a4081d4f66
                                                                                                                                                                          SHA1:67c73c5207f877ca7a075f38ff32acb4129ecf17
                                                                                                                                                                          SHA256:309621355c48f1d8b77d4df0cfb99a32dbd0ab78f234b6c12934d9f3a1503af8
                                                                                                                                                                          SHA512:9c9dd9b9011739ce1159e302690dc522110d5fe33b671074aa1193b9cc7576abc9d4017ff49adf2c473d8e52582395f0b3a9f2db65e026e0e021c8067facabdc
                                                                                                                                                                          SSDEEP:24576:3fIeejFpYqPMy5lp8/EZWmBCfpAJ7WXYsstJ:PBejFp/0iwReChA1WXCf
                                                                                                                                                                          TLSH:BC15F198B600F48FC843C6318E69EC7466506DEED207930B65D73EAFF96EA538D16093
                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ng..............0..P...........o... ........@.. ....................................@................................

                                                                                                                                                                          File Icon

                                                                                                                                                                          Icon Hash:4b66a4ecc5ce527b

                                                                                                                                                                          Static PE Info

                                                                                                                                                                          General

                                                                                                                                                                          Entrypoint:0x4c6f2e
                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                          Time Stamp:0x674EADCB [Tue Dec 3 07:05:47 2024 UTC]
                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                          OS Version Major:4
                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                          File Version Major:4
                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                          Subsystem Version Major:4
                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                          Instruction
                                                                                                                                                                          jmp dword ptr [00402000h]
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al

                                                                                                                                                                          Data Directories

                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc6ed40x57.text
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x10e18.rsrc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xda0000xc.reloc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                          Sections

                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                          .text0x20000xc4f340xc5000f11c7a9b86e5243671e47fb6141ada0fFalse0.9096890367227157data7.784152143328839IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .rsrc0xc80000x10e180x11000322916f6508e625b6efcc1faccf298baFalse0.2195111443014706data4.328310135772269IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .reloc0xda0000xc0x20052821257853a5c24cd2290f100afe99aFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                          Resources

                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                          RT_ICON0xc81600x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m0.21470188098899798
                                                                                                                                                                          RT_GROUP_ICON0xd89880x14data1.0
                                                                                                                                                                          RT_GROUP_ICON0xd899c0x14data1.05
                                                                                                                                                                          RT_VERSION0xd89b00x278data0.4699367088607595
                                                                                                                                                                          RT_MANIFEST0xd8c280x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                          Imports

                                                                                                                                                                          DLLImport
                                                                                                                                                                          mscoree.dll_CorExeMain

                                                                                                                                                                          Network Behavior

                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                          TCP Packets

                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                          Jan 11, 2025 05:02:59.364017010 CET497131912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:02:59.368916988 CET19124971387.120.120.86192.168.2.5
                                                                                                                                                                          Jan 11, 2025 05:02:59.369009018 CET497131912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:02:59.379534006 CET497131912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:02:59.384402990 CET19124971387.120.120.86192.168.2.5
                                                                                                                                                                          Jan 11, 2025 05:03:20.731858015 CET19124971387.120.120.86192.168.2.5
                                                                                                                                                                          Jan 11, 2025 05:03:20.731937885 CET497131912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:03:20.758019924 CET497131912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:03:25.785609961 CET498851912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:03:25.790468931 CET19124988587.120.120.86192.168.2.5
                                                                                                                                                                          Jan 11, 2025 05:03:25.790564060 CET498851912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:03:25.791306973 CET498851912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:03:25.796109915 CET19124988587.120.120.86192.168.2.5
                                                                                                                                                                          Jan 11, 2025 05:03:47.167543888 CET19124988587.120.120.86192.168.2.5
                                                                                                                                                                          Jan 11, 2025 05:03:47.167610884 CET498851912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:03:47.167881012 CET498851912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:03:52.172156096 CET499831912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:03:52.177118063 CET19124998387.120.120.86192.168.2.5
                                                                                                                                                                          Jan 11, 2025 05:03:52.177257061 CET499831912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:03:52.177562952 CET499831912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:03:52.182351112 CET19124998387.120.120.86192.168.2.5
                                                                                                                                                                          Jan 11, 2025 05:04:13.547748089 CET19124998387.120.120.86192.168.2.5
                                                                                                                                                                          Jan 11, 2025 05:04:13.547852039 CET499831912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:04:13.548170090 CET499831912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:04:18.562417030 CET499851912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:04:18.567709923 CET19124998587.120.120.86192.168.2.5
                                                                                                                                                                          Jan 11, 2025 05:04:18.567819118 CET499851912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:04:18.568154097 CET499851912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:04:18.572961092 CET19124998587.120.120.86192.168.2.5
                                                                                                                                                                          Jan 11, 2025 05:04:39.940285921 CET19124998587.120.120.86192.168.2.5
                                                                                                                                                                          Jan 11, 2025 05:04:39.940423012 CET499851912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:04:39.940723896 CET499851912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:04:44.952796936 CET499861912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:04:44.957688093 CET19124998687.120.120.86192.168.2.5
                                                                                                                                                                          Jan 11, 2025 05:04:44.957771063 CET499861912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:04:44.958072901 CET499861912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:04:44.962852001 CET19124998687.120.120.86192.168.2.5
                                                                                                                                                                          Jan 11, 2025 05:05:06.341253996 CET19124998687.120.120.86192.168.2.5
                                                                                                                                                                          Jan 11, 2025 05:05:06.341985941 CET499861912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:05:06.342401981 CET499861912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:05:11.359369993 CET499871912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:05:11.364375114 CET19124998787.120.120.86192.168.2.5
                                                                                                                                                                          Jan 11, 2025 05:05:11.364454985 CET499871912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:05:11.364763975 CET499871912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:05:11.369611979 CET19124998787.120.120.86192.168.2.5
                                                                                                                                                                          Jan 11, 2025 05:05:32.719156027 CET19124998787.120.120.86192.168.2.5
                                                                                                                                                                          Jan 11, 2025 05:05:32.719217062 CET499871912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:05:32.719567060 CET499871912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:05:37.735419989 CET499881912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:05:37.740772009 CET19124998887.120.120.86192.168.2.5
                                                                                                                                                                          Jan 11, 2025 05:05:37.740854979 CET499881912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:05:37.741139889 CET499881912192.168.2.587.120.120.86
                                                                                                                                                                          Jan 11, 2025 05:05:37.745888948 CET19124998887.120.120.86192.168.2.5

                                                                                                                                                                          Statistics

                                                                                                                                                                          CPU Usage

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          Memory Usage

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                          Behavior

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          System Behavior

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:0
                                                                                                                                                                          Start time:23:02:41
                                                                                                                                                                          Start date:10/01/2025
                                                                                                                                                                          Path:C:\Users\user\Desktop\5tCuNr661k.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\5tCuNr661k.exe"
                                                                                                                                                                          Imagebase:0x8e0000
                                                                                                                                                                          File size:877'568 bytes
                                                                                                                                                                          MD5 hash:12DEA314DB7AA2B97F2C43A4081D4F66
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2215475353.00000000048A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2215475353.00000000048EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2215475353.0000000004501000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:4
                                                                                                                                                                          Start time:23:02:57
                                                                                                                                                                          Start date:10/01/2025
                                                                                                                                                                          Path:C:\Users\user\Desktop\5tCuNr661k.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\5tCuNr661k.exe"
                                                                                                                                                                          Imagebase:0x3d0000
                                                                                                                                                                          File size:877'568 bytes
                                                                                                                                                                          MD5 hash:12DEA314DB7AA2B97F2C43A4081D4F66
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:5
                                                                                                                                                                          Start time:23:02:57
                                                                                                                                                                          Start date:10/01/2025
                                                                                                                                                                          Path:C:\Users\user\Desktop\5tCuNr661k.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\5tCuNr661k.exe"
                                                                                                                                                                          Imagebase:0x450000
                                                                                                                                                                          File size:877'568 bytes
                                                                                                                                                                          MD5 hash:12DEA314DB7AA2B97F2C43A4081D4F66
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:6
                                                                                                                                                                          Start time:23:02:57
                                                                                                                                                                          Start date:10/01/2025
                                                                                                                                                                          Path:C:\Users\user\Desktop\5tCuNr661k.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\5tCuNr661k.exe"
                                                                                                                                                                          Imagebase:0x750000
                                                                                                                                                                          File size:877'568 bytes
                                                                                                                                                                          MD5 hash:12DEA314DB7AA2B97F2C43A4081D4F66
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.3899912805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:false

                                                                                                                                                                          Disassembly

                                                                                                                                                                          Reset < >

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:13.5%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                            Signature Coverage:2%
                                                                                                                                                                            Total number of Nodes:149
                                                                                                                                                                            Total number of Limit Nodes:10
                                                                                                                                                                            execution_graph 25974 5385928 25975 538593c 25974->25975 25976 5380910 10 API calls 25975->25976 25977 5385958 25975->25977 25976->25977 25792 fad01c 25793 fad034 25792->25793 25794 fad08e 25793->25794 25799 5385338 25793->25799 25803 5383024 25793->25803 25812 53860a8 25793->25812 25821 5385348 25793->25821 25800 538536e 25799->25800 25801 5383024 3 API calls 25800->25801 25802 538538f 25801->25802 25802->25794 25804 538302f 25803->25804 25805 5386119 25804->25805 25807 5386109 25804->25807 25808 5386117 25805->25808 25845 538314c 25805->25845 25825 538630c 25807->25825 25831 5386240 25807->25831 25838 5386232 25807->25838 25815 53860e5 25812->25815 25813 5386119 25814 538314c 3 API calls 25813->25814 25817 5386117 25813->25817 25814->25817 25815->25813 25816 5386109 25815->25816 25818 538630c 3 API calls 25816->25818 25819 5386240 3 API calls 25816->25819 25820 5386232 3 API calls 25816->25820 25818->25817 25819->25817 25820->25817 25822 538536e 25821->25822 25823 5383024 3 API calls 25822->25823 25824 538538f 25823->25824 25824->25794 25826 53862ca 25825->25826 25827 538631a 25825->25827 25852 53862f8 25826->25852 25855 53862e7 25826->25855 25828 53862e0 25828->25808 25832 538626e 25831->25832 25835 5386254 25831->25835 25832->25835 25867 538318c CallWindowProcW CallWindowProcW CallWindowProcW 25832->25867 25834 53862e0 25834->25808 25836 53862f8 3 API calls 25835->25836 25837 53862e7 3 API calls 25835->25837 25836->25834 25837->25834 25839 538626e 25838->25839 25842 5386254 25838->25842 25839->25842 25868 538318c CallWindowProcW CallWindowProcW CallWindowProcW 25839->25868 25841 53862e0 25841->25808 25843 53862f8 3 API calls 25842->25843 25844 53862e7 3 API calls 25842->25844 25843->25841 25844->25841 25846 5383157 25845->25846 25847 538784c 25846->25847 25848 53877a2 25846->25848 25850 5383024 2 API calls 25847->25850 25849 53877fa CallWindowProcW 25848->25849 25851 53877a9 25848->25851 25849->25851 25850->25851 25851->25808 25853 5386309 25852->25853 25858 5387733 25852->25858 25853->25828 25856 5386309 25855->25856 25857 5387733 3 API calls 25855->25857 25856->25828 25857->25856 25859 538773c 25858->25859 25860 538314c 2 API calls 25859->25860 25861 5387746 25860->25861 25861->25853 25862 538784c 25861->25862 25863 53877a2 25861->25863 25865 5383024 2 API calls 25862->25865 25864 53877fa CallWindowProcW 25863->25864 25866 53877a9 25863->25866 25864->25866 25865->25866 25866->25853 25867->25835 25868->25842 25869 11fe798 25870 11fe7da 25869->25870 25871 11fe7e0 GetModuleHandleW 25869->25871 25870->25871 25872 11fe80d 25871->25872 25873 5385190 25874 53851f8 CreateWindowExW 25873->25874 25876 53852b4 25874->25876 25877 11f7830 25878 11f783a 25877->25878 25882 11f7d28 25877->25882 25887 11f7408 25878->25887 25880 11f7855 25883 11f7d4d 25882->25883 25891 11f7e38 25883->25891 25895 11f7e27 25883->25895 25888 11f7413 25887->25888 25890 11fa56f 25888->25890 25903 11f9498 25888->25903 25890->25880 25893 11f7e5f 25891->25893 25892 11f7f3c 25892->25892 25893->25892 25899 11f7a4c 25893->25899 25896 11f7e5f 25895->25896 25897 11f7f3c 25896->25897 25898 11f7a4c CreateActCtxA 25896->25898 25897->25897 25898->25897 25900 11f8ec8 CreateActCtxA 25899->25900 25902 11f8f8b 25900->25902 25902->25902 25904 11f94a3 25903->25904 25907 11f9518 25904->25907 25906 11fa8ed 25906->25890 25908 11f9523 25907->25908 25911 11f9548 25908->25911 25910 11fa9c2 25910->25906 25912 11f9553 25911->25912 25915 11f9568 25912->25915 25914 11faac5 25914->25910 25916 11f9573 25915->25916 25917 11fbe09 25916->25917 25920 53805d8 25916->25920 25925 53805c8 25916->25925 25917->25914 25921 53805f9 25920->25921 25922 538061d 25921->25922 25930 5380910 25921->25930 25935 5380901 25921->25935 25922->25917 25926 53805f9 25925->25926 25927 538061d 25926->25927 25928 5380910 10 API calls 25926->25928 25929 5380901 10 API calls 25926->25929 25927->25917 25928->25927 25929->25927 25931 5380920 25930->25931 25932 538093d 25931->25932 25940 53809b0 25931->25940 25952 53809c0 25931->25952 25932->25922 25936 5380920 25935->25936 25937 538093d 25936->25937 25938 53809b0 6 API calls 25936->25938 25939 53809c0 6 API calls 25936->25939 25937->25922 25938->25937 25939->25937 25941 5380a06 GetCurrentProcess 25940->25941 25943 5380a58 GetCurrentThread 25941->25943 25944 5380a51 25941->25944 25945 5380a8e 25943->25945 25946 5380a95 GetCurrentProcess 25943->25946 25944->25943 25945->25946 25947 5380acb 25946->25947 25964 5380f80 25947->25964 25966 5380b90 25947->25966 25948 5380af3 GetCurrentThreadId 25949 5380b24 25948->25949 25949->25932 25953 5380a06 GetCurrentProcess 25952->25953 25955 5380a58 GetCurrentThread 25953->25955 25956 5380a51 25953->25956 25957 5380a8e 25955->25957 25958 5380a95 GetCurrentProcess 25955->25958 25956->25955 25957->25958 25959 5380acb 25958->25959 25962 5380f80 25959->25962 25963 5380b90 2 API calls 25959->25963 25960 5380af3 GetCurrentThreadId 25961 5380b24 25960->25961 25961->25932 25962->25960 25963->25960 25965 5380f8e 25964->25965 25965->25948 25970 5380c08 DuplicateHandle 25966->25970 25972 5380c00 DuplicateHandle 25966->25972 25967 5380bce 25967->25948 25971 5380c9e 25970->25971 25971->25967 25973 5380c9e 25972->25973 25973->25967

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 011F0A41 Relevance: 2.7, Strings: 2, Instructions: 234COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 595 11f0a41-11f0a42 596 11f0a44 595->596 597 11f0aa0-11f0aa1 595->597 598 11f0a46-11f0a4b 596->598 599 11f0a00 596->599 600 11f0aa7-11f0ab7 597->600 601 11f0ee4-11f0fda call 11f00e4 597->601 602 11f0a7d-11f0a89 598->602 604 11f09ad-11f09af 599->604 605 11f0a01-11f0a02 599->605 600->601 603 11f0abd-11f0ac4 600->603 615 11f0fe3 601->615 602->597 603->601 607 11f0aca-11f0ada 603->607 608 11f09b5-11f09ff 604->608 609 11f09b1-11f09b3 604->609 605->595 607->601 608->599 608->602 609->608 616 11f0fe8-11f0ff7 615->616 617 11f0ffd 616->617 618 11f10c7-11f10f1 call 11f00f4 616->618 617->615 617->618 619 11f1088-11f10c2 617->619 620 11f1017-11f1032 617->620 621 11f1034-11f103f 617->621 622 11f1004-11f1007 617->622 623 11f1041-11f106c 617->623 624 11f1071-11f1083 617->624 637 11f10f7-11f1109 618->637 619->616 620->616 621->616 626 11f1009-11f100e 622->626 627 11f1010 622->627 623->616 624->616 628 11f1015 626->628 627->628 628->616 639 11f110b call 11f1afc 637->639 640 11f110b call 11f1aeb 637->640 641 11f110b call 11f1b1b 637->641 642 11f110b call 11f1a45 637->642 643 11f110b call 11f19d2 637->643 644 11f110b call 11f1a32 637->644 645 11f110b call 11f1a71 637->645 638 11f1111-11f111a 639->638 640->638 641->638 642->638 643->638 644->638 645->638
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Te]q$Te]q
                                                                                                                                                                            • API String ID: 0-3320153681
                                                                                                                                                                            • Opcode ID: 983c3425ba6f84fd905f6e4034c4fbdf13b7ed26e52ce08d9f95ecc56386ca70
                                                                                                                                                                            • Instruction ID: 90ece0aa1f24647d5e304ea89417975708d35f31b06b1fbd00d44f038bcef72f
                                                                                                                                                                            • Opcode Fuzzy Hash: 983c3425ba6f84fd905f6e4034c4fbdf13b7ed26e52ce08d9f95ecc56386ca70
                                                                                                                                                                            • Instruction Fuzzy Hash: 6D913571A043468FCB49CFA8C8419EEBBF1FF89320B55816ED545AB253D3389E06CB51
                                                                                                                                                                            Function 011F0CCD Relevance: 2.7, Strings: 2, Instructions: 220COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 646 11f0ccd-11f0cd4 647 11f0cda-11f0ce1 646->647 648 11f0ee4-11f0fda call 11f00e4 646->648 647->648 649 11f0ce7-11f0cf7 647->649 660 11f0fe3 648->660 649->648 651 11f0cfd-11f0d04 649->651 651->648 652 11f0d0a-11f0d1a 651->652 652->648 654 11f0d20-11f0d27 652->654 654->648 656 11f0d2d-11f0d37 654->656 656->648 658 11f0d3d-11f0d4c 656->658 658->648 661 11f0fe8-11f0ff7 660->661 662 11f0ffd 661->662 663 11f10c7-11f1109 call 11f00f4 661->663 662->660 662->663 664 11f1088-11f10c2 662->664 665 11f1017-11f1032 662->665 666 11f1034-11f103f 662->666 667 11f1004-11f1007 662->667 668 11f1041-11f106c 662->668 669 11f1071-11f1083 662->669 684 11f110b call 11f1afc 663->684 685 11f110b call 11f1aeb 663->685 686 11f110b call 11f1b1b 663->686 687 11f110b call 11f1a45 663->687 688 11f110b call 11f19d2 663->688 689 11f110b call 11f1a32 663->689 690 11f110b call 11f1a71 663->690 664->661 665->661 666->661 671 11f1009-11f100e 667->671 672 11f1010 667->672 668->661 669->661 673 11f1015 671->673 672->673 673->661 683 11f1111-11f111a 684->683 685->683 686->683 687->683 688->683 689->683 690->683
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Te]q$Te]q
                                                                                                                                                                            • API String ID: 0-3320153681
                                                                                                                                                                            • Opcode ID: cf040cccaf625a57976977d84921d31e8b08f6ec71ea64227043b43ba89020d5
                                                                                                                                                                            • Instruction ID: 16e5ca3c9826e5c77e9e2482456468c7cf78541e2820b1532f8bd3bb21da9e74
                                                                                                                                                                            • Opcode Fuzzy Hash: cf040cccaf625a57976977d84921d31e8b08f6ec71ea64227043b43ba89020d5
                                                                                                                                                                            • Instruction Fuzzy Hash: A981C171A05306CFCB49CFA8C4849AEFBF2FF89320B51816EE555AB252D335AE05CB51
                                                                                                                                                                            Function 011F0BD3 Relevance: 2.7, Strings: 2, Instructions: 209COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 733 11f0bd3-11f0bda 734 11f0ee4-11f0fda call 11f00e4 733->734 735 11f0be0-11f0be7 733->735 744 11f0fe3 734->744 735->734 736 11f0bed-11f0bfd 735->736 736->734 738 11f0c03-11f0c0a 736->738 738->734 739 11f0c10-11f0c20 738->739 739->734 745 11f0fe8-11f0ff7 744->745 746 11f0ffd 745->746 747 11f10c7-11f1109 call 11f00f4 745->747 746->744 746->747 748 11f1088-11f10c2 746->748 749 11f1017-11f1032 746->749 750 11f1034-11f103f 746->750 751 11f1004-11f1007 746->751 752 11f1041-11f106c 746->752 753 11f1071-11f1083 746->753 768 11f110b call 11f1afc 747->768 769 11f110b call 11f1aeb 747->769 770 11f110b call 11f1b1b 747->770 771 11f110b call 11f1a45 747->771 772 11f110b call 11f19d2 747->772 773 11f110b call 11f1a32 747->773 774 11f110b call 11f1a71 747->774 748->745 749->745 750->745 755 11f1009-11f100e 751->755 756 11f1010 751->756 752->745 753->745 757 11f1015 755->757 756->757 757->745 767 11f1111-11f111a 768->767 769->767 770->767 771->767 772->767 773->767 774->767
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Te]q$Te]q
                                                                                                                                                                            • API String ID: 0-3320153681
                                                                                                                                                                            • Opcode ID: a048019a7f7a5ee88885d0bdc82b954776b41cdfee85ee6624bcc5a97d487efb
                                                                                                                                                                            • Instruction ID: 3ae27216bc6db558fd642cf7a0c7d8d47f90c60314cb08aaab1dd32f3fdf7353
                                                                                                                                                                            • Opcode Fuzzy Hash: a048019a7f7a5ee88885d0bdc82b954776b41cdfee85ee6624bcc5a97d487efb
                                                                                                                                                                            • Instruction Fuzzy Hash: D581D171A043068FCB49CFA8D8809EEFBF2FF85320B51816ED545AB252D7359E05CB61
                                                                                                                                                                            Function 011F0A8D Relevance: 2.7, Strings: 2, Instructions: 209COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 691 11f0a8d-11f0a94 692 11f0a9a-11f0aa1 691->692 693 11f0ee4-11f0fda call 11f00e4 691->693 692->693 694 11f0aa7-11f0ab7 692->694 702 11f0fe3 693->702 694->693 696 11f0abd-11f0ac4 694->696 696->693 697 11f0aca-11f0ada 696->697 697->693 703 11f0fe8-11f0ff7 702->703 704 11f0ffd 703->704 705 11f10c7-11f1109 call 11f00f4 703->705 704->702 704->705 706 11f1088-11f10c2 704->706 707 11f1017-11f1032 704->707 708 11f1034-11f103f 704->708 709 11f1004-11f1007 704->709 710 11f1041-11f106c 704->710 711 11f1071-11f1083 704->711 726 11f110b call 11f1afc 705->726 727 11f110b call 11f1aeb 705->727 728 11f110b call 11f1b1b 705->728 729 11f110b call 11f1a45 705->729 730 11f110b call 11f19d2 705->730 731 11f110b call 11f1a32 705->731 732 11f110b call 11f1a71 705->732 706->703 707->703 708->703 713 11f1009-11f100e 709->713 714 11f1010 709->714 710->703 711->703 715 11f1015 713->715 714->715 715->703 725 11f1111-11f111a 726->725 727->725 728->725 729->725 730->725 731->725 732->725
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Te]q$Te]q
                                                                                                                                                                            • API String ID: 0-3320153681
                                                                                                                                                                            • Opcode ID: 4799b7cc4ad67846ed43508ee9cae0ebdb43182d5c12e389e5477508659b0f31
                                                                                                                                                                            • Instruction ID: 58545164ba457cd641651df5d15692b115526bf05dd803d8c1717d137afda90e
                                                                                                                                                                            • Opcode Fuzzy Hash: 4799b7cc4ad67846ed43508ee9cae0ebdb43182d5c12e389e5477508659b0f31
                                                                                                                                                                            • Instruction Fuzzy Hash: B581C271A043068FCB49CFA8C8819AEFBF2FF89320B51816ED555AB252D7359E05CB51
                                                                                                                                                                            Function 011F094A Relevance: 2.7, Strings: 2, Instructions: 208COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 869 11f094a-11f0951 870 11f0957-11f095e 869->870 871 11f0ee4-11f0fda call 11f00e4 869->871 870->871 872 11f0964-11f0979 870->872 885 11f0fe3 871->885 873 11f088d-11f08a1 872->873 875 11f0edd-11f0ee3 873->875 876 11f08a7-11f0937 873->876 881 11f0939-11f093e 876->881 882 11f0940 876->882 883 11f0945 881->883 882->883 883->873 886 11f0fe8-11f0ff7 885->886 887 11f0ffd 886->887 888 11f10c7-11f1109 call 11f00f4 886->888 887->885 887->888 889 11f1088-11f10c2 887->889 890 11f1017-11f1032 887->890 891 11f1034-11f103f 887->891 892 11f1004-11f1007 887->892 893 11f1041-11f106c 887->893 894 11f1071-11f1083 887->894 909 11f110b call 11f1afc 888->909 910 11f110b call 11f1aeb 888->910 911 11f110b call 11f1b1b 888->911 912 11f110b call 11f1a45 888->912 913 11f110b call 11f19d2 888->913 914 11f110b call 11f1a32 888->914 915 11f110b call 11f1a71 888->915 889->886 890->886 891->886 896 11f1009-11f100e 892->896 897 11f1010 892->897 893->886 894->886 898 11f1015 896->898 897->898 898->886 908 11f1111-11f111a 909->908 910->908 911->908 912->908 913->908 914->908 915->908
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Te]q$Te]q
                                                                                                                                                                            • API String ID: 0-3320153681
                                                                                                                                                                            • Opcode ID: 504dc9724aee8263526a2884690e0ad217d5607f00b3034854111082763e33fd
                                                                                                                                                                            • Instruction ID: b7cf4b13c306e1bc2d6ef8e85e5ccb5e5a88945248879576bba3aa23c5f35d1f
                                                                                                                                                                            • Opcode Fuzzy Hash: 504dc9724aee8263526a2884690e0ad217d5607f00b3034854111082763e33fd
                                                                                                                                                                            • Instruction Fuzzy Hash: 8C81E131A043068FCB49CFA8C8919EEFBF2FF85320B55816ED545AB252D7399E06CB51
                                                                                                                                                                            Function 011F08CE Relevance: 2.7, Strings: 2, Instructions: 208COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 775 11f08ce-11f08d5 776 11f08db-11f08e2 775->776 777 11f0ee4-11f0fda call 11f00e4 775->777 776->777 778 11f08e8-11f08fd 776->778 791 11f0fe3 777->791 778->777 780 11f088d-11f08a1 778->780 781 11f0edd-11f0ee3 780->781 782 11f08a7-11f0937 780->782 787 11f0939-11f093e 782->787 788 11f0940 782->788 789 11f0945 787->789 788->789 789->780 792 11f0fe8-11f0ff7 791->792 793 11f0ffd 792->793 794 11f10c7-11f1109 call 11f00f4 792->794 793->791 793->794 795 11f1088-11f10c2 793->795 796 11f1017-11f1032 793->796 797 11f1034-11f103f 793->797 798 11f1004-11f1007 793->798 799 11f1041-11f106c 793->799 800 11f1071-11f1083 793->800 815 11f110b call 11f1afc 794->815 816 11f110b call 11f1aeb 794->816 817 11f110b call 11f1b1b 794->817 818 11f110b call 11f1a45 794->818 819 11f110b call 11f19d2 794->819 820 11f110b call 11f1a32 794->820 821 11f110b call 11f1a71 794->821 795->792 796->792 797->792 802 11f1009-11f100e 798->802 803 11f1010 798->803 799->792 800->792 804 11f1015 802->804 803->804 804->792 814 11f1111-11f111a 815->814 816->814 817->814 818->814 819->814 820->814 821->814
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Te]q$Te]q
                                                                                                                                                                            • API String ID: 0-3320153681
                                                                                                                                                                            • Opcode ID: ef28eecb473252847ab0e486cc2a2180db4ff4bc49e43d2121f7a671186f969c
                                                                                                                                                                            • Instruction ID: 62c66981fe7aee5e9b33c9f86d0be66438610a2039930ff386bd0a9d9a1a46cc
                                                                                                                                                                            • Opcode Fuzzy Hash: ef28eecb473252847ab0e486cc2a2180db4ff4bc49e43d2121f7a671186f969c
                                                                                                                                                                            • Instruction Fuzzy Hash: E0810131A043068FCB49CFA8C8919EEFBF2FF85320B55816ED505AB252D7399E06CB51
                                                                                                                                                                            Function 011F08FF Relevance: 2.7, Strings: 2, Instructions: 208COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 822 11f08ff-11f0906 823 11f090c-11f0913 822->823 824 11f0ee4-11f0fda call 11f00e4 822->824 823->824 825 11f0919-11f092e 823->825 838 11f0fe3 824->838 825->824 827 11f088d-11f08a1 825->827 828 11f0edd-11f0ee3 827->828 829 11f08a7-11f0937 827->829 834 11f0939-11f093e 829->834 835 11f0940 829->835 836 11f0945 834->836 835->836 836->827 839 11f0fe8-11f0ff7 838->839 840 11f0ffd 839->840 841 11f10c7-11f1109 call 11f00f4 839->841 840->838 840->841 842 11f1088-11f10c2 840->842 843 11f1017-11f1032 840->843 844 11f1034-11f103f 840->844 845 11f1004-11f1007 840->845 846 11f1041-11f106c 840->846 847 11f1071-11f1083 840->847 862 11f110b call 11f1afc 841->862 863 11f110b call 11f1aeb 841->863 864 11f110b call 11f1b1b 841->864 865 11f110b call 11f1a45 841->865 866 11f110b call 11f19d2 841->866 867 11f110b call 11f1a32 841->867 868 11f110b call 11f1a71 841->868 842->839 843->839 844->839 849 11f1009-11f100e 845->849 850 11f1010 845->850 846->839 847->839 851 11f1015 849->851 850->851 851->839 861 11f1111-11f111a 862->861 863->861 864->861 865->861 866->861 867->861 868->861
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Te]q$Te]q
                                                                                                                                                                            • API String ID: 0-3320153681
                                                                                                                                                                            • Opcode ID: 4a7d628b02ff0d2233658f36a808c45ce9cbc388471ad8427c407427d00158fd
                                                                                                                                                                            • Instruction ID: ef1eb0593efda41e075bc569db1381928646a28c4ca2e5acdfd15e5abaaf05bc
                                                                                                                                                                            • Opcode Fuzzy Hash: 4a7d628b02ff0d2233658f36a808c45ce9cbc388471ad8427c407427d00158fd
                                                                                                                                                                            • Instruction Fuzzy Hash: 8C81F231A043068FCB49CFA8C8919EEFBF2FF85320B55816ED545AB252D7399E06CB51
                                                                                                                                                                            Function 011F0E04 Relevance: 2.7, Strings: 2, Instructions: 202COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 956 11f0e04-11f0e0b 957 11f0ee4-11f0fda call 11f00e4 956->957 958 11f0e11-11f0e18 956->958 966 11f0fe3 957->966 958->957 959 11f0e1e-11f0e28 958->959 959->957 961 11f0e2e-11f0e38 959->961 961->957 967 11f0fe8-11f0ff7 966->967 968 11f0ffd 967->968 969 11f10c7-11f1109 call 11f00f4 967->969 968->966 968->969 970 11f1088-11f10c2 968->970 971 11f1017-11f1032 968->971 972 11f1034-11f103f 968->972 973 11f1004-11f1007 968->973 974 11f1041-11f106c 968->974 975 11f1071-11f1083 968->975 990 11f110b call 11f1afc 969->990 991 11f110b call 11f1aeb 969->991 992 11f110b call 11f1b1b 969->992 993 11f110b call 11f1a45 969->993 994 11f110b call 11f19d2 969->994 995 11f110b call 11f1a32 969->995 996 11f110b call 11f1a71 969->996 970->967 971->967 972->967 977 11f1009-11f100e 973->977 978 11f1010 973->978 974->967 975->967 979 11f1015 977->979 978->979 979->967 989 11f1111-11f111a 990->989 991->989 992->989 993->989 994->989 995->989 996->989
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Te]q$Te]q
                                                                                                                                                                            • API String ID: 0-3320153681
                                                                                                                                                                            • Opcode ID: 978587fd6d9d8e67277d53dd8015dc50808176495f6654c389c325effa32ecd2
                                                                                                                                                                            • Instruction ID: cc82a32711d9a78d87773d8ae312aecdc6266c10986a6e39179f8f7d955f8d0b
                                                                                                                                                                            • Opcode Fuzzy Hash: 978587fd6d9d8e67277d53dd8015dc50808176495f6654c389c325effa32ecd2
                                                                                                                                                                            • Instruction Fuzzy Hash: 4E71E171A043468FCB49CFA8C8819EEFBF2FF85320B51816ED545AB252D7399E06CB51
                                                                                                                                                                            Function 011F0EAB Relevance: 2.7, Strings: 2, Instructions: 202COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 997 11f0eab-11f0eb2 998 11f0ee4-11f0fda call 11f00e4 997->998 999 11f0eb4-11f0ebb 997->999 1007 11f0fe3 998->1007 999->998 1000 11f0ebd-11f0ec7 999->1000 1000->998 1002 11f0ec9-11f0ed3 1000->1002 1002->998 1008 11f0fe8-11f0ff7 1007->1008 1009 11f0ffd 1008->1009 1010 11f10c7-11f1109 call 11f00f4 1008->1010 1009->1007 1009->1010 1011 11f1088-11f10c2 1009->1011 1012 11f1017-11f1032 1009->1012 1013 11f1034-11f103f 1009->1013 1014 11f1004-11f1007 1009->1014 1015 11f1041-11f106c 1009->1015 1016 11f1071-11f1083 1009->1016 1031 11f110b call 11f1afc 1010->1031 1032 11f110b call 11f1aeb 1010->1032 1033 11f110b call 11f1b1b 1010->1033 1034 11f110b call 11f1a45 1010->1034 1035 11f110b call 11f19d2 1010->1035 1036 11f110b call 11f1a32 1010->1036 1037 11f110b call 11f1a71 1010->1037 1011->1008 1012->1008 1013->1008 1018 11f1009-11f100e 1014->1018 1019 11f1010 1014->1019 1015->1008 1016->1008 1020 11f1015 1018->1020 1019->1020 1020->1008 1030 11f1111-11f111a 1031->1030 1032->1030 1033->1030 1034->1030 1035->1030 1036->1030 1037->1030
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Te]q$Te]q
                                                                                                                                                                            • API String ID: 0-3320153681
                                                                                                                                                                            • Opcode ID: 59e68d09bfa6800b96c277d8552e986d7599935c8b1a417831626a1df4bc1576
                                                                                                                                                                            • Instruction ID: 7975013daebc02cce45d79384894f077ffbc83efe755ceca8d3e0c363ba961c1
                                                                                                                                                                            • Opcode Fuzzy Hash: 59e68d09bfa6800b96c277d8552e986d7599935c8b1a417831626a1df4bc1576
                                                                                                                                                                            • Instruction Fuzzy Hash: 9971F231A043068FCB49CFA8C8819EEFBF2FF85320B55816ED545AB252D7399E06CB51
                                                                                                                                                                            Function 011F09AB Relevance: 2.7, Strings: 2, Instructions: 200COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Te]q$Te]q
                                                                                                                                                                            • API String ID: 0-3320153681
                                                                                                                                                                            • Opcode ID: 9f8d78e76b0508a30e262a6027751ec12cf4c60255d21282797ce1d1ee6c71cd
                                                                                                                                                                            • Instruction ID: 7ff3fd2f456b20ea2c99dc1d65e23ac182a0c7dfaf3e0d468e1b737d8c76bfe5
                                                                                                                                                                            • Opcode Fuzzy Hash: 9f8d78e76b0508a30e262a6027751ec12cf4c60255d21282797ce1d1ee6c71cd
                                                                                                                                                                            • Instruction Fuzzy Hash: 9C71F331A043468FCB49CFA8C8819EEFBF1FF85320B51816ED545AB252D7399E06CB51
                                                                                                                                                                            Function 011F0B9F Relevance: 2.7, Strings: 2, Instructions: 200COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Te]q$Te]q
                                                                                                                                                                            • API String ID: 0-3320153681
                                                                                                                                                                            • Opcode ID: 2396da1e24acb880cb7ea0d59580e04157d1b0619d4984f68f2353780d0d1953
                                                                                                                                                                            • Instruction ID: 9280cfb4761ea63f5c6aa4a647fb477574f9ea2f4e05a27a9be7897a4f8948d8
                                                                                                                                                                            • Opcode Fuzzy Hash: 2396da1e24acb880cb7ea0d59580e04157d1b0619d4984f68f2353780d0d1953
                                                                                                                                                                            • Instruction Fuzzy Hash: 7E71F371A043468FCB49CFA8C8819EEFBF2FF85320B51816ED545AB252D7399E06CB51
                                                                                                                                                                            Function 011F0A0C Relevance: 2.7, Strings: 2, Instructions: 200COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Te]q$Te]q
                                                                                                                                                                            • API String ID: 0-3320153681
                                                                                                                                                                            • Opcode ID: a5f1031f14ab6e057061e3fbdcb5486814d0982f2ae980b1a538f359f34273bc
                                                                                                                                                                            • Instruction ID: 90697a6a7fb1473da3b99aab335274ced2b9ac7087839d24c37ee893576ec661
                                                                                                                                                                            • Opcode Fuzzy Hash: a5f1031f14ab6e057061e3fbdcb5486814d0982f2ae980b1a538f359f34273bc
                                                                                                                                                                            • Instruction Fuzzy Hash: 4471F271A043068FCB49CFA8C8819EEFBF2FF85320B51816ED545AB252D7399E06CB51
                                                                                                                                                                            Function 011F0C99 Relevance: 2.7, Strings: 2, Instructions: 200COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Te]q$Te]q
                                                                                                                                                                            • API String ID: 0-3320153681
                                                                                                                                                                            • Opcode ID: 3f21cf55663747e2d8c8ca17d396895da6f703078ebb26c367ada69563cd22a6
                                                                                                                                                                            • Instruction ID: 5dc3bae20f0be286ff47b080cc2a2aa64154bf052a544d8f9a133cba7b9d552d
                                                                                                                                                                            • Opcode Fuzzy Hash: 3f21cf55663747e2d8c8ca17d396895da6f703078ebb26c367ada69563cd22a6
                                                                                                                                                                            • Instruction Fuzzy Hash: 12710431A043068FCB49CFA8C8819EEFBF1FF85320B51816ED545AB252D7399E05CB51
                                                                                                                                                                            Function 011F097E Relevance: 2.7, Strings: 2, Instructions: 199COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Te]q$Te]q
                                                                                                                                                                            • API String ID: 0-3320153681
                                                                                                                                                                            • Opcode ID: 236a193f62bf3094ebc246ce696a8f3d3627a683d6ee53f31472432c7b8871a8
                                                                                                                                                                            • Instruction ID: 7643aab6a4c1fc1a810713b33d95acc37092e7377015f5c95f80a655880ac403
                                                                                                                                                                            • Opcode Fuzzy Hash: 236a193f62bf3094ebc246ce696a8f3d3627a683d6ee53f31472432c7b8871a8
                                                                                                                                                                            • Instruction Fuzzy Hash: ED711231A043068FCB49CFA8D8809EEFBF2FF85320B55816ED545AB252D7399E02CB51
                                                                                                                                                                            Function 011F09DF Relevance: 2.7, Strings: 2, Instructions: 199COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Te]q$Te]q
                                                                                                                                                                            • API String ID: 0-3320153681
                                                                                                                                                                            • Opcode ID: bde8dc09ba1cac4697578076ce281fbc6ad278dc054404ab0492732a2bb8fbd4
                                                                                                                                                                            • Instruction ID: aef0faea9fec9d4355bd340bc9fce1cd31ffa8cc7a002f7faa693f3db896f816
                                                                                                                                                                            • Opcode Fuzzy Hash: bde8dc09ba1cac4697578076ce281fbc6ad278dc054404ab0492732a2bb8fbd4
                                                                                                                                                                            • Instruction Fuzzy Hash: 68711331A043068FCB49CFA8C8819EEFBF1FF85320B55816ED505AB252D7399E02CB61
                                                                                                                                                                            Function 011F0D67 Relevance: 2.7, Strings: 2, Instructions: 199COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Te]q$Te]q
                                                                                                                                                                            • API String ID: 0-3320153681
                                                                                                                                                                            • Opcode ID: eade8d1e7f8b0f10f6d162f2fa74da368e519ed9ad7ff7148c49b82157fb714e
                                                                                                                                                                            • Instruction ID: 628ff3eb52ac61a4eb4529896764737d8983c6ab0bd0c7cc57b7ef5fb77ba0f9
                                                                                                                                                                            • Opcode Fuzzy Hash: eade8d1e7f8b0f10f6d162f2fa74da368e519ed9ad7ff7148c49b82157fb714e
                                                                                                                                                                            • Instruction Fuzzy Hash: 7D711231A043468FCB49CFA8C8819EEFBF1FF85320B55816EE545AB252D7399E02CB51
                                                                                                                                                                            Function 011F0B1B Relevance: 2.7, Strings: 2, Instructions: 198COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Te]q$Te]q
                                                                                                                                                                            • API String ID: 0-3320153681
                                                                                                                                                                            • Opcode ID: 5e5cbc39d8edffbc67be7c1634ca84f84758aecb5f207054c85a19f0a47a3ae6
                                                                                                                                                                            • Instruction ID: bac5557811cabd2093632287369aa1a03ef58b0ec26a3d88988a873583ff10e3
                                                                                                                                                                            • Opcode Fuzzy Hash: 5e5cbc39d8edffbc67be7c1634ca84f84758aecb5f207054c85a19f0a47a3ae6
                                                                                                                                                                            • Instruction Fuzzy Hash: 2371E031A043068FCB49CFA8C8819EEBBF2FF85320B51816ED545EB252D7399E06CB51
                                                                                                                                                                            Function 011F1A71 Relevance: .3, Instructions: 316COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 59b877910717a7d2a8e3d4bb05205f68b7a2464e6fbb9589085123e19a5caa0d
                                                                                                                                                                            • Instruction ID: 52ae4cda2ddb5d670674b33213aac11e4657a3df477efa20023ba655083620a6
                                                                                                                                                                            • Opcode Fuzzy Hash: 59b877910717a7d2a8e3d4bb05205f68b7a2464e6fbb9589085123e19a5caa0d
                                                                                                                                                                            • Instruction Fuzzy Hash: C8C15335A04306CFCB4ECF68D8D18A9BBB1FF41320B56866ED2428B661D734EE60CB55
                                                                                                                                                                            Function 05389A47 Relevance: .3, Instructions: 310COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2218757388.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5380000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3020c38c84a09c5d159c6cefa8261b984f1baccf73843f028588115f09c9a5fa
                                                                                                                                                                            • Instruction ID: 0e37a332e6a25d4c5a04ed552828630bed9c088a9a6d0841212147399530c46f
                                                                                                                                                                            • Opcode Fuzzy Hash: 3020c38c84a09c5d159c6cefa8261b984f1baccf73843f028588115f09c9a5fa
                                                                                                                                                                            • Instruction Fuzzy Hash: 9FC16331A103058FCB04EFA8D895ABEB7B6FF84300F508959E419AF365DB74E945CB51
                                                                                                                                                                            Function 011F1FE9 Relevance: .3, Instructions: 297COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 52beb1218531f74b04ec3417dd21363188d2bd6586e9cd9c5feb2272431d23c5
                                                                                                                                                                            • Instruction ID: c6425054c1149cc17bb5c98c4135b7307a58a25dc9a8170a68e529a66c22b2d7
                                                                                                                                                                            • Opcode Fuzzy Hash: 52beb1218531f74b04ec3417dd21363188d2bd6586e9cd9c5feb2272431d23c5
                                                                                                                                                                            • Instruction Fuzzy Hash: 6DC12275A04306CFCB4ECF64D8D04A5BBB0FF42320756866ED2428B661D734EE55CB99
                                                                                                                                                                            Function 05389AA0 Relevance: .3, Instructions: 295COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2218757388.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5380000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c0d224298a2e43cc71b4c1832924eb3e7c7ab88bab9ddef82f67c7c90d621ceb
                                                                                                                                                                            • Instruction ID: 79222f87eacfa498af1972aab61565e174864679aaf21cf428406ee7bf882401
                                                                                                                                                                            • Opcode Fuzzy Hash: c0d224298a2e43cc71b4c1832924eb3e7c7ab88bab9ddef82f67c7c90d621ceb
                                                                                                                                                                            • Instruction Fuzzy Hash: 04C17231B102048FCB08EFA8D895A7EBBB6FF84300F508969E50AAF365DB74D945CB51
                                                                                                                                                                            Function 011F1B4B Relevance: .3, Instructions: 295COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c640ea9987d947004e934b7690bcd11b19e72526af21f108b213d0c035eeccac
                                                                                                                                                                            • Instruction ID: 6ac2639d250a215911107396aa06ab54dd07ea7962d111491a086822b7d47d87
                                                                                                                                                                            • Opcode Fuzzy Hash: c640ea9987d947004e934b7690bcd11b19e72526af21f108b213d0c035eeccac
                                                                                                                                                                            • Instruction Fuzzy Hash: 53B12435A08306CFCB4ECF64D8D08E5BBB0FF41320756866ED2428B661D734EA55CB9A
                                                                                                                                                                            Function 05389A90 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2218757388.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5380000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 02f30dda4750d0da520819cdcd522f2eaeb1f160a4bfe2ec669b1d08c0b83360
                                                                                                                                                                            • Instruction ID: f1a32fed1069ac6e3b86cf6f506938464f029726eb7254721cc8b1ee778029d0
                                                                                                                                                                            • Opcode Fuzzy Hash: 02f30dda4750d0da520819cdcd522f2eaeb1f160a4bfe2ec669b1d08c0b83360
                                                                                                                                                                            • Instruction Fuzzy Hash: 1FB17131A102048FCB08EFA8D995A7EBBB6FF84300F508969E50AAF365DB74D945CB51
                                                                                                                                                                            Function 011F1A45 Relevance: .3, Instructions: 293COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: bd156bfda6c732aa0907e686ca997d812bd769e4d5d45bc338bd31e722edf306
                                                                                                                                                                            • Instruction ID: b3989bb45744d50438e3f64a3d9e486c4292900557cc5890e2c398ac97c22d94
                                                                                                                                                                            • Opcode Fuzzy Hash: bd156bfda6c732aa0907e686ca997d812bd769e4d5d45bc338bd31e722edf306
                                                                                                                                                                            • Instruction Fuzzy Hash: 57B13335A04306CFCB5ECF64D8D04A5BBB0FF41320756866ED2428B661D734EE65CB9A
                                                                                                                                                                            Function 011F1C45 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d91e5612a7ad1cb69a9c3b86b884e6c48507d97ab1dd9b8837c141aae0ee46ed
                                                                                                                                                                            • Instruction ID: b89588a89f424bcd2fa717af2a9a5087b13b189c586bc7a1faff6a733347c437
                                                                                                                                                                            • Opcode Fuzzy Hash: d91e5612a7ad1cb69a9c3b86b884e6c48507d97ab1dd9b8837c141aae0ee46ed
                                                                                                                                                                            • Instruction Fuzzy Hash: ADB14335A04306CFCB4ECF64D8D08A5BBB0FF41320756866ED2428B661D738EE55CB99
                                                                                                                                                                            Function 011F1BA3 Relevance: .3, Instructions: 290COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: aca8739f57ad4aaef4003fdc4a1ebff8f3d7ceed1bed68906522e158d69a1819
                                                                                                                                                                            • Instruction ID: 76759a58c396a7ee6465dda7366ee50055667b9ce5b78dc1bebdce298bc49300
                                                                                                                                                                            • Opcode Fuzzy Hash: aca8739f57ad4aaef4003fdc4a1ebff8f3d7ceed1bed68906522e158d69a1819
                                                                                                                                                                            • Instruction Fuzzy Hash: 45B13335A04306CFCB5ECF64D8D04A5BBB0FF41320756866ED2428B661D734EE55CB9A
                                                                                                                                                                            Function 011F1FFE Relevance: .3, Instructions: 288COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c64bd2212fe219a9a1007e952d5ede8b55985961c8be5515fa2b3400a54c9291
                                                                                                                                                                            • Instruction ID: b79ad408eef27e5e8676bc058b694c43a688fb3691a9319252503f7090b284b2
                                                                                                                                                                            • Opcode Fuzzy Hash: c64bd2212fe219a9a1007e952d5ede8b55985961c8be5515fa2b3400a54c9291
                                                                                                                                                                            • Instruction Fuzzy Hash: CDB13335A04306CFCB5ECF64D8D08A5BBB0FF41320756866ED2428B661D734EE65CB99
                                                                                                                                                                            Function 011F1E0A Relevance: .3, Instructions: 288COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ac2f7b9c6071b25ef759652d9b2107ee5e209302b5e54327f2a7013d14327996
                                                                                                                                                                            • Instruction ID: 7ab6b4e91a9713abd7161890961af3f9472844a75e54a473e90bcc2473f5cc21
                                                                                                                                                                            • Opcode Fuzzy Hash: ac2f7b9c6071b25ef759652d9b2107ee5e209302b5e54327f2a7013d14327996
                                                                                                                                                                            • Instruction Fuzzy Hash: 64B13335A04306CFCB5ECF64D8D08A5BBB0FF41320756866ED2428B661D738EE55CB9A
                                                                                                                                                                            Function 011F1EFA Relevance: .3, Instructions: 286COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 478f1472907b373cad70f0c9d49dbddc3d2e26dcfa9bfecbdbbe119f8799463c
                                                                                                                                                                            • Instruction ID: cb94bf00a715fcc1ab864df364c9546fac7b6f73f20584515d5442be2d79c6af
                                                                                                                                                                            • Opcode Fuzzy Hash: 478f1472907b373cad70f0c9d49dbddc3d2e26dcfa9bfecbdbbe119f8799463c
                                                                                                                                                                            • Instruction Fuzzy Hash: F3B13235A04306CFCB5ECF64D8D08A5BBB0FF41320756866ED2428B661D734EE65CB9A
                                                                                                                                                                            Function 011F22C8 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 30adae121789455094a1e6a63d8ee2024130de31ac596b034ab265519142ccb3
                                                                                                                                                                            • Instruction ID: 113488d0f963c813c34c8c3cc1db67bde2d606cec4f7656e31601198583d9da5
                                                                                                                                                                            • Opcode Fuzzy Hash: 30adae121789455094a1e6a63d8ee2024130de31ac596b034ab265519142ccb3
                                                                                                                                                                            • Instruction Fuzzy Hash: 6BB13071A04606CFC30DCFA8C8D48A5BBB4FF85310756866ED616CB661DB74ED11CB8A
                                                                                                                                                                            Function 011FA54A Relevance: .2, Instructions: 211COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3971b99a9ed710b49375db44d1f0a4ad79fc95cd31abafd190827bc05f85d253
                                                                                                                                                                            • Instruction ID: 4133853e40c0b00ce0eaa13f5ccf129cd3625ea5e133bd8a88a63f65c7b75c74
                                                                                                                                                                            • Opcode Fuzzy Hash: 3971b99a9ed710b49375db44d1f0a4ad79fc95cd31abafd190827bc05f85d253
                                                                                                                                                                            • Instruction Fuzzy Hash: DD71D331B002098BCB0CAB78D95566EBBA7AFC5244F04892DD24ADB3A5DB3CDD05C7A1
                                                                                                                                                                            Function 011F7408 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b5cb8cc4e5f7aed66031c8569558d09388bd2b437893eceac095668bd256e528
                                                                                                                                                                            • Instruction ID: 3dcc1347802e0f74a3026e98463d920ffe104e0988df2d2d56ab52fc44fbf128
                                                                                                                                                                            • Opcode Fuzzy Hash: b5cb8cc4e5f7aed66031c8569558d09388bd2b437893eceac095668bd256e528
                                                                                                                                                                            • Instruction Fuzzy Hash: 7561B631B402058BCB4CBB78999566F7AA7AFC4344F00892DE24ADB3A5DF78DD05C7A1
                                                                                                                                                                            Function 053809B0 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 527 53809b0-5380a4f GetCurrentProcess 531 5380a58-5380a8c GetCurrentThread 527->531 532 5380a51-5380a57 527->532 533 5380a8e-5380a94 531->533 534 5380a95-5380ac9 GetCurrentProcess 531->534 532->531 533->534 535 5380acb-5380ad1 534->535 536 5380ad2-5380aea 534->536 535->536 548 5380aed call 5380f80 536->548 549 5380aed call 5380b90 536->549 540 5380af3-5380b22 GetCurrentThreadId 541 5380b2b-5380b8d 540->541 542 5380b24-5380b2a 540->542 542->541 548->540 549->540
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 05380A3E
                                                                                                                                                                            • GetCurrentThread.KERNEL32 ref: 05380A7B
                                                                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 05380AB8
                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 05380B11
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2218757388.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5380000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Current$ProcessThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2063062207-0
                                                                                                                                                                            • Opcode ID: 9cc5c2196784a75b2247cd46baaf16ec2aec1263b0b645631906a5183733af32
                                                                                                                                                                            • Instruction ID: 10875e1153632a96e012dd308f604f6440039a566414db1c92b3b607ca5a4af3
                                                                                                                                                                            • Opcode Fuzzy Hash: 9cc5c2196784a75b2247cd46baaf16ec2aec1263b0b645631906a5183733af32
                                                                                                                                                                            • Instruction Fuzzy Hash: FD5168B0D013498FDB08DFA9D549BAEBBF1FF48304F248459E419A7360D7789988CB65
                                                                                                                                                                            Function 053809C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 550 53809c0-5380a4f GetCurrentProcess 554 5380a58-5380a8c GetCurrentThread 550->554 555 5380a51-5380a57 550->555 556 5380a8e-5380a94 554->556 557 5380a95-5380ac9 GetCurrentProcess 554->557 555->554 556->557 558 5380acb-5380ad1 557->558 559 5380ad2-5380aea 557->559 558->559 571 5380aed call 5380f80 559->571 572 5380aed call 5380b90 559->572 563 5380af3-5380b22 GetCurrentThreadId 564 5380b2b-5380b8d 563->564 565 5380b24-5380b2a 563->565 565->564 571->563 572->563
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 05380A3E
                                                                                                                                                                            • GetCurrentThread.KERNEL32 ref: 05380A7B
                                                                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 05380AB8
                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 05380B11
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2218757388.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5380000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Current$ProcessThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2063062207-0
                                                                                                                                                                            • Opcode ID: 718cd057cc3b2564f32fbc3c5d9b59ffbba3f1463e1771e14e1d97c6b719e0a3
                                                                                                                                                                            • Instruction ID: 43e4656769fb19fc2e85bc38945af1f8628b81227909fc9e1f3c56b958ce8415
                                                                                                                                                                            • Opcode Fuzzy Hash: 718cd057cc3b2564f32fbc3c5d9b59ffbba3f1463e1771e14e1d97c6b719e0a3
                                                                                                                                                                            • Instruction Fuzzy Hash: 815166B0D013498FDB08DFA9D548BAEBBF1FF88304F248459E419A7360D7799988CB65
                                                                                                                                                                            Function 05385190 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053852A2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2218757388.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5380000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 716092398-0
                                                                                                                                                                            • Opcode ID: 9b4cc55a6c5ecbc30f805996aa4b1cb5d27b2429904799c7645b4c8e87f9070b
                                                                                                                                                                            • Instruction ID: 52d9d737ef366efb32fc47b2e64f4b6e78dccf1df0e1c6a9814ac7bec9e52056
                                                                                                                                                                            • Opcode Fuzzy Hash: 9b4cc55a6c5ecbc30f805996aa4b1cb5d27b2429904799c7645b4c8e87f9070b
                                                                                                                                                                            • Instruction Fuzzy Hash: FE41B3B1D10349EFDB14DF99C884ADEBBB5BF48310F64812AE819AB210D775A845CF90
                                                                                                                                                                            Function 0538518D Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053852A2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2218757388.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5380000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 716092398-0
                                                                                                                                                                            • Opcode ID: 0a42a359a9946fce6c4c9315c395b49bda451110a8e0cc04bf81fd73cedbbbdc
                                                                                                                                                                            • Instruction ID: 0bbfaea26c3180c04ada003d5ce48c1f4df866ff554eaf5771e9c9451e97dc32
                                                                                                                                                                            • Opcode Fuzzy Hash: 0a42a359a9946fce6c4c9315c395b49bda451110a8e0cc04bf81fd73cedbbbdc
                                                                                                                                                                            • Instruction Fuzzy Hash: 8741B2B5D10309EFDF14DF99C984ADEBBB5BF48310F24812AE819AB210D775A845CF90
                                                                                                                                                                            Function 0538314C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 05387821
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2218757388.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5380000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CallProcWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2714655100-0
                                                                                                                                                                            • Opcode ID: a48d5667b26b60eec4c185298d5e79f397fdee85f68ec3fe10b2be721346797c
                                                                                                                                                                            • Instruction ID: f6e5fa47e371f9f00b00685e32ee79f26f5cebf094c6856a2aca38f381de2641
                                                                                                                                                                            • Opcode Fuzzy Hash: a48d5667b26b60eec4c185298d5e79f397fdee85f68ec3fe10b2be721346797c
                                                                                                                                                                            • Instruction Fuzzy Hash: F9414CB9900309DFCB14DF99C448AAABBF6FF88314F24C459D519AB321D375A841CFA0
                                                                                                                                                                            Function 011F8EBC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 011F8F79
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                            • Opcode ID: 9efd2315fb753ad86888b1cd6199a8720af72d10297b89b1b25d864d4f2c1dfa
                                                                                                                                                                            • Instruction ID: 87c9474f1f042811015d28dbd0871f2f6d9e670b415dc8625f76de1b18ef0a0f
                                                                                                                                                                            • Opcode Fuzzy Hash: 9efd2315fb753ad86888b1cd6199a8720af72d10297b89b1b25d864d4f2c1dfa
                                                                                                                                                                            • Instruction Fuzzy Hash: 2241F3B0C00719CFDB28DFA9C944BCEBBB6BF49304F24805AD508AB265DB755946CF91
                                                                                                                                                                            Function 011F7A4C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 011F8F79
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                            • Opcode ID: efd5b2aa3d1f3d1c36bbd33304e798f1ac5b0b07da331f61a36598cf5cad8abf
                                                                                                                                                                            • Instruction ID: 791df9dad76f2969c5c27816fb82433fe384ff26a6205444d41a6456ba006aa5
                                                                                                                                                                            • Opcode Fuzzy Hash: efd5b2aa3d1f3d1c36bbd33304e798f1ac5b0b07da331f61a36598cf5cad8abf
                                                                                                                                                                            • Instruction Fuzzy Hash: 244101B0C0071DCFDB28DFA9C844B9EBBB6BF49304F20806AD518AB251DB756946CF91
                                                                                                                                                                            Function 05384F58 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053852A2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2218757388.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5380000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 716092398-0
                                                                                                                                                                            • Opcode ID: 52e9a8af968f88afb90e6bc20ad9829ed1e08814ddf6409fab8907ff2647b009
                                                                                                                                                                            • Instruction ID: ae921d18336c17323a35ffc94b801477b965110f7a687f308457dc98b5ae5199
                                                                                                                                                                            • Opcode Fuzzy Hash: 52e9a8af968f88afb90e6bc20ad9829ed1e08814ddf6409fab8907ff2647b009
                                                                                                                                                                            • Instruction Fuzzy Hash: 9331E371D10309EFDF14DF98C844BEDBBB1BF88304F20811AE508AB250CBB5A885CB90
                                                                                                                                                                            Function 05380C08 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05380C8F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2218757388.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5380000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                                                            • Opcode ID: fb9eae23a023b2f3381b771b08c661e17e01cc4b13afee31731fca568e69b52d
                                                                                                                                                                            • Instruction ID: 52eccc5fe016dfe6cdf5300280b01a6eb67288bf14651a462f348663f6ebc7ba
                                                                                                                                                                            • Opcode Fuzzy Hash: fb9eae23a023b2f3381b771b08c661e17e01cc4b13afee31731fca568e69b52d
                                                                                                                                                                            • Instruction Fuzzy Hash: 2321E4B59002089FDB10CF9AD984AEEBBF9FB48310F14841AE958A7310D378A944CFA0
                                                                                                                                                                            Function 05380C00 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05380C8F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2218757388.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5380000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                                                            • Opcode ID: 04d796e028eaf4eaf3f0c73e97d1aea4ee5eca948e9b33cf22088332b6d7396f
                                                                                                                                                                            • Instruction ID: 5983155a672902600dd8cb365b4504dc4bc7611f2210b008f16123a5e0d42a2e
                                                                                                                                                                            • Opcode Fuzzy Hash: 04d796e028eaf4eaf3f0c73e97d1aea4ee5eca948e9b33cf22088332b6d7396f
                                                                                                                                                                            • Instruction Fuzzy Hash: DC21D3B59002189FDB10CFAAD984AEEBBF5FF48310F14841AE959A7350D378A944CFA4
                                                                                                                                                                            Function 011FE798 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 011FE7FE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HandleModule
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4139908857-0
                                                                                                                                                                            • Opcode ID: a6f2b25fae012826c9d54c0a72eeac68e8d824f62faa11edf9a961708c68e6d7
                                                                                                                                                                            • Instruction ID: 7ed78bf75ea6870235aa1911b9fac08085c38ea4631d0e463e50c5748b3a4e62
                                                                                                                                                                            • Opcode Fuzzy Hash: a6f2b25fae012826c9d54c0a72eeac68e8d824f62faa11edf9a961708c68e6d7
                                                                                                                                                                            • Instruction Fuzzy Hash: B31110B5C002498FDB14DF9AC444ADEFBF5EF88310F10842AD928A7210D379A545CFA1
                                                                                                                                                                            Function 00F9D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2213555807.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_f9d000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7cafb2a728b4a7abdd714e9a180246600dde18d7ddb1ca692c19db71b45e1de2
                                                                                                                                                                            • Instruction ID: d33d770529746cfcb3c2c0d34964cfb2813db901e03e1fbf1a02415277dc5e8c
                                                                                                                                                                            • Opcode Fuzzy Hash: 7cafb2a728b4a7abdd714e9a180246600dde18d7ddb1ca692c19db71b45e1de2
                                                                                                                                                                            • Instruction Fuzzy Hash: 1B21F472900244DFEF15DF14D980B26BF65FB98328F34C569D9090B256C336D816E7A2
                                                                                                                                                                            Function 00FAD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2213595762.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_fad000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 351eec9894a26c1af9ee251d33709e5b6587e882d0b240d25ef1767eeeb128da
                                                                                                                                                                            • Instruction ID: b2427368c5a40da79c5ea1af31fddedd8c4e35e63f0c6d443c2fa02466ff9d70
                                                                                                                                                                            • Opcode Fuzzy Hash: 351eec9894a26c1af9ee251d33709e5b6587e882d0b240d25ef1767eeeb128da
                                                                                                                                                                            • Instruction Fuzzy Hash: B921F2B5604204DFCB14DF24D984B26BF65FB89324F20C569D94A4B69AC33AD807EA62
                                                                                                                                                                            Function 00FAD005 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2213595762.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_fad000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: bfac97522be1cd7614b78f2eeb6df341476410ba1c640c6ba06016a3b55e934a
                                                                                                                                                                            • Instruction ID: d7eda8e9cfdc51d257d4907754b89648cc9c45d8612f893d1b094c43a87ba076
                                                                                                                                                                            • Opcode Fuzzy Hash: bfac97522be1cd7614b78f2eeb6df341476410ba1c640c6ba06016a3b55e934a
                                                                                                                                                                            • Instruction Fuzzy Hash: 152162755093C08FDB12CF24D994715BF71EB46314F28C5EAD8498F6A7C33A980ADB62
                                                                                                                                                                            Function 00F9D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2213555807.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_f9d000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                                                                                                            • Instruction ID: 3af952ecbdcc71d97f04250ed3a4e3f1a750a5d466aff7405ad6fabd46d4b69a
                                                                                                                                                                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                                                                                                            • Instruction Fuzzy Hash: E611DF76804280CFDF06CF10D5C4B16BF71FB98328F28C6A9D9490B256C336D85ADBA2
                                                                                                                                                                            Function 00F9D731 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2213555807.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_f9d000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 1ef7cf3c9163a19345fe8183c529da1dec1f8119472277ca571571c65333bcaf
                                                                                                                                                                            • Instruction ID: c08f72a566045fd9b0c560bcfefa143aa89d7b14bd4a6408ec0401f370616b75
                                                                                                                                                                            • Opcode Fuzzy Hash: 1ef7cf3c9163a19345fe8183c529da1dec1f8119472277ca571571c65333bcaf
                                                                                                                                                                            • Instruction Fuzzy Hash: 6401A7724053449AFB108AA5CDC4B66BFD8EF45374F38C52AED094A296D2799840D673
                                                                                                                                                                            Function 00F9D730 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2213555807.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_f9d000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 369b7537fc7775cc4363555bf49a1706c503af75777ea423335e14029cdf6c65
                                                                                                                                                                            • Instruction ID: 43c7e3218e33931f96b38c7bd75c13f07a3e4535553dbc12ad8dc671298a97aa
                                                                                                                                                                            • Opcode Fuzzy Hash: 369b7537fc7775cc4363555bf49a1706c503af75777ea423335e14029cdf6c65
                                                                                                                                                                            • Instruction Fuzzy Hash: 6CF0C272404344AAEB108A16CC84BA2FFD8EF91374F28C55AED080A282C2799844CA71

                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                            Function 011F2BA8 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Ea
                                                                                                                                                                            • API String ID: 0-3364303221
                                                                                                                                                                            • Opcode ID: 13b4e4c92b572d33092621cccd8764336d78d952df56922b1bbf811f71b96330
                                                                                                                                                                            • Instruction ID: efafc6a570f23dc6fdf0c287769c27494091e23101438893040b569e914bb07f
                                                                                                                                                                            • Opcode Fuzzy Hash: 13b4e4c92b572d33092621cccd8764336d78d952df56922b1bbf811f71b96330
                                                                                                                                                                            • Instruction Fuzzy Hash: E741F331A14609CFC35CCE69D996A6ABBF1FF85310B15842ED55ACB660D334D984CF03
                                                                                                                                                                            Function 011F2BB8 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Ea
                                                                                                                                                                            • API String ID: 0-3364303221
                                                                                                                                                                            • Opcode ID: da1d525fd6823129e3cae1f258869980596b4b74f89628fb7989a7037db8be93
                                                                                                                                                                            • Instruction ID: 40f61776487e3c8016e3e03c88422628135f103ef840f7bdd1be3660d8d917e5
                                                                                                                                                                            • Opcode Fuzzy Hash: da1d525fd6823129e3cae1f258869980596b4b74f89628fb7989a7037db8be93
                                                                                                                                                                            • Instruction Fuzzy Hash: 6341D131A10609CFC768CE69D995A6ABBF6FB84210B55842ED51ACB660E334E980CB43
                                                                                                                                                                            Function 053838E0 Relevance: .3, Instructions: 315COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2218757388.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5380000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b348ecee15759d36fbcdbc4310c085deafd242ba3fd10c350fb22eba41ebba6a
                                                                                                                                                                            • Instruction ID: 85cce390457c809f9a119835900733909135795f8fc39429977e838ea827dcee
                                                                                                                                                                            • Opcode Fuzzy Hash: b348ecee15759d36fbcdbc4310c085deafd242ba3fd10c350fb22eba41ebba6a
                                                                                                                                                                            • Instruction Fuzzy Hash: 121285B04027458BEB30CF65E94C1897BB1BB85719BA08309D2656F2F9DFB8154BCF64
                                                                                                                                                                            Function 0538E8F8 Relevance: .3, Instructions: 297COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2218757388.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5380000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7225bea495e6b757aae7dd7565d5c9f5174370f7f7d1162e0c4796043c9aa872
                                                                                                                                                                            • Instruction ID: 7ab36e727d783454e08a458a9da05756c406ad113aadea6239c76197dc505489
                                                                                                                                                                            • Opcode Fuzzy Hash: 7225bea495e6b757aae7dd7565d5c9f5174370f7f7d1162e0c4796043c9aa872
                                                                                                                                                                            • Instruction Fuzzy Hash: 98E10631C2075A8ADB05EF64D950AADB7B1FF96300F10C7AAD0497B225EB746AC9CB41
                                                                                                                                                                            Function 053812C4 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2218757388.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5380000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 697c3506c87f5284478657798b6ca907ec2d0be89d56d14ffc538353f6983828
                                                                                                                                                                            • Instruction ID: ac98cb5fab733f0afa3ae4efa8bc10db41697058ce38a80061d998d096a972c7
                                                                                                                                                                            • Opcode Fuzzy Hash: 697c3506c87f5284478657798b6ca907ec2d0be89d56d14ffc538353f6983828
                                                                                                                                                                            • Instruction Fuzzy Hash: E7A16E36F003058FCF19EFB5C8449AEBBB2FF85300B15456AE806AB265DB71E956CB50
                                                                                                                                                                            Function 0538E930 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2218757388.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5380000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c478c6f572ea8a8b60d3030eda1a8c3c3204dc49b91786979eab47cc3c9203a0
                                                                                                                                                                            • Instruction ID: af365dfd00bce79ed6cebae88f1ca6fe7dd56c3ff805e4107fb0397c7306a55b
                                                                                                                                                                            • Opcode Fuzzy Hash: c478c6f572ea8a8b60d3030eda1a8c3c3204dc49b91786979eab47cc3c9203a0
                                                                                                                                                                            • Instruction Fuzzy Hash: C2D1E635C2065ACADB05EF64D950AADB3B1FF95300F10C7AAD0097B225EB746AC9CF81
                                                                                                                                                                            Function 053838D0 Relevance: .2, Instructions: 221COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2218757388.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5380000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: de1f892ae2c867afb23d1e6ade0e8c057552bac636c3440674c387ccced6305c
                                                                                                                                                                            • Instruction ID: aac72839c58d4d90d19832165834e5a58d6dc79a9eb76d801d4fd96f7dedac5d
                                                                                                                                                                            • Opcode Fuzzy Hash: de1f892ae2c867afb23d1e6ade0e8c057552bac636c3440674c387ccced6305c
                                                                                                                                                                            • Instruction Fuzzy Hash: ACC1D4B08127468AEB34CF69E84C1897BB1BB85729F608319D1616F2F8DFB8144BCF54
                                                                                                                                                                            Function 011F3600 Relevance: .2, Instructions: 194COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 26478081ec2770681717db1b40c09dc5d2f641289fe63ec24b8bb063703c0038
                                                                                                                                                                            • Instruction ID: 30564341a6c48bc48715923e997ad2f2ce3a5859c833ae2ccdbed5e1bbe74474
                                                                                                                                                                            • Opcode Fuzzy Hash: 26478081ec2770681717db1b40c09dc5d2f641289fe63ec24b8bb063703c0038
                                                                                                                                                                            • Instruction Fuzzy Hash: EC71C471F24205CFCB48CF59C9815AEFBB1BB84210F56826BD625EB351D334DA41CB92
                                                                                                                                                                            Function 011F35F0 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2214157321.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_11f0000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7d6626396b2a0e0c78584c87af569a91d27237c8e1641c073b60add765c275f0
                                                                                                                                                                            • Instruction ID: 306b0a193238d23b7542017b41e6f9e3ac552ef473c5cdb74d813ead4e577090
                                                                                                                                                                            • Opcode Fuzzy Hash: 7d6626396b2a0e0c78584c87af569a91d27237c8e1641c073b60add765c275f0
                                                                                                                                                                            • Instruction Fuzzy Hash: 5F212631E141068BCB0CCF69C8915AEFFB5BB91220F16856BD621EB352D334CB41CB92

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:7.5%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                            Total number of Nodes:33
                                                                                                                                                                            Total number of Limit Nodes:5
                                                                                                                                                                            execution_graph 15234 116d300 DuplicateHandle 15235 116d396 15234->15235 15236 116ad38 15239 116ae30 15236->15239 15237 116ad47 15240 116ae64 15239->15240 15241 116ae41 15239->15241 15240->15237 15241->15240 15242 116b068 GetModuleHandleW 15241->15242 15243 116b095 15242->15243 15243->15237 15244 116d0b8 15245 116d0fe GetCurrentProcess 15244->15245 15247 116d150 GetCurrentThread 15245->15247 15248 116d149 15245->15248 15249 116d186 15247->15249 15250 116d18d GetCurrentProcess 15247->15250 15248->15247 15249->15250 15251 116d1c3 15250->15251 15252 116d1eb GetCurrentThreadId 15251->15252 15253 116d21c 15252->15253 15254 1164668 15255 1164684 15254->15255 15256 1164696 15255->15256 15258 11647a0 15255->15258 15259 11647c5 15258->15259 15263 11648b0 15259->15263 15267 11648a1 15259->15267 15264 11648d7 15263->15264 15265 11649b4 15264->15265 15271 1164248 15264->15271 15269 11648b0 15267->15269 15268 11649b4 15268->15268 15269->15268 15270 1164248 CreateActCtxA 15269->15270 15270->15268 15272 1165940 CreateActCtxA 15271->15272 15274 1165a03 15272->15274

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 0116D0A8 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 294 116d0a8-116d147 GetCurrentProcess 298 116d150-116d184 GetCurrentThread 294->298 299 116d149-116d14f 294->299 300 116d186-116d18c 298->300 301 116d18d-116d1c1 GetCurrentProcess 298->301 299->298 300->301 303 116d1c3-116d1c9 301->303 304 116d1ca-116d1e5 call 116d289 301->304 303->304 307 116d1eb-116d21a GetCurrentThreadId 304->307 308 116d223-116d285 307->308 309 116d21c-116d222 307->309 309->308
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 0116D136
                                                                                                                                                                            • GetCurrentThread.KERNEL32 ref: 0116D173
                                                                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 0116D1B0
                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0116D209
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3901004480.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_1160000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Current$ProcessThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2063062207-0
                                                                                                                                                                            • Opcode ID: 72957cd2d472cdf58d879570ff3893cb77d3470334af79a87b814a9f0bc6c59c
                                                                                                                                                                            • Instruction ID: 8b315c6a8ced97bbf7fa66ad09018c3639e9a168bfeb544b8614baa93c300aad
                                                                                                                                                                            • Opcode Fuzzy Hash: 72957cd2d472cdf58d879570ff3893cb77d3470334af79a87b814a9f0bc6c59c
                                                                                                                                                                            • Instruction Fuzzy Hash: 285166B0900209CFDB08DFA9E648BAEBFF5EF48304F20C459E109A7260D7799944CF65
                                                                                                                                                                            Function 0116D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 316 116d0b8-116d147 GetCurrentProcess 320 116d150-116d184 GetCurrentThread 316->320 321 116d149-116d14f 316->321 322 116d186-116d18c 320->322 323 116d18d-116d1c1 GetCurrentProcess 320->323 321->320 322->323 325 116d1c3-116d1c9 323->325 326 116d1ca-116d1e5 call 116d289 323->326 325->326 329 116d1eb-116d21a GetCurrentThreadId 326->329 330 116d223-116d285 329->330 331 116d21c-116d222 329->331 331->330
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 0116D136
                                                                                                                                                                            • GetCurrentThread.KERNEL32 ref: 0116D173
                                                                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 0116D1B0
                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0116D209
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3901004480.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_1160000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Current$ProcessThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2063062207-0
                                                                                                                                                                            • Opcode ID: 53e722f36e41de60bed8b4b6166846cbf6417fd2e60d828934b372d69b635e48
                                                                                                                                                                            • Instruction ID: 0b3f511ae0ebee89a828a74c4765ff1cb39efb3b8feb6ce190e5a658c87d87e8
                                                                                                                                                                            • Opcode Fuzzy Hash: 53e722f36e41de60bed8b4b6166846cbf6417fd2e60d828934b372d69b635e48
                                                                                                                                                                            • Instruction Fuzzy Hash: 895156B09002098FDB08DFAAE548BAEBFF5EF48314F20C419E109A7260C7799944CF65
                                                                                                                                                                            Function 0116AE30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 338 116ae30-116ae3f 339 116ae41-116ae4e call 1169838 338->339 340 116ae6b-116ae6f 338->340 347 116ae64 339->347 348 116ae50 339->348 342 116ae83-116aec4 340->342 343 116ae71-116ae7b 340->343 349 116aec6-116aece 342->349 350 116aed1-116aedf 342->350 343->342 347->340 396 116ae56 call 116b0b8 348->396 397 116ae56 call 116b0c8 348->397 349->350 351 116af03-116af05 350->351 352 116aee1-116aee6 350->352 357 116af08-116af0f 351->357 354 116aef1 352->354 355 116aee8-116aeef call 116a814 352->355 353 116ae5c-116ae5e 353->347 356 116afa0-116afb7 353->356 359 116aef3-116af01 354->359 355->359 371 116afb9-116b018 356->371 360 116af11-116af19 357->360 361 116af1c-116af23 357->361 359->357 360->361 362 116af25-116af2d 361->362 363 116af30-116af39 call 116a824 361->363 362->363 369 116af46-116af4b 363->369 370 116af3b-116af43 363->370 372 116af4d-116af54 369->372 373 116af69-116af76 369->373 370->369 389 116b01a-116b060 371->389 372->373 374 116af56-116af66 call 116a834 call 116a844 372->374 378 116af78-116af96 373->378 379 116af99-116af9f 373->379 374->373 378->379 391 116b062-116b065 389->391 392 116b068-116b093 GetModuleHandleW 389->392 391->392 393 116b095-116b09b 392->393 394 116b09c-116b0b0 392->394 393->394 396->353 397->353
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0116B086
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3901004480.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_1160000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HandleModule
                                                                                                                                                                            • String ID: 0V$0V
                                                                                                                                                                            • API String ID: 4139908857-4216712621
                                                                                                                                                                            • Opcode ID: 985dc46a6dee898290a12b1d95872a15015b818eb3d50e3fa4e356ea891e7df9
                                                                                                                                                                            • Instruction ID: b710106881d0f8ddaf3d1e305edc657358f3281450425cef0f3d25e99195d3a1
                                                                                                                                                                            • Opcode Fuzzy Hash: 985dc46a6dee898290a12b1d95872a15015b818eb3d50e3fa4e356ea891e7df9
                                                                                                                                                                            • Instruction Fuzzy Hash: D37147B0A00B058FD728DF29E54175ABBF9FF88304F00892DE446E7A50DB76E915CB91
                                                                                                                                                                            Function 01164248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 451 1164248-1165a01 CreateActCtxA 454 1165a03-1165a09 451->454 455 1165a0a-1165a64 451->455 454->455 462 1165a66-1165a69 455->462 463 1165a73-1165a77 455->463 462->463 464 1165a88 463->464 465 1165a79-1165a85 463->465 467 1165a89 464->467 465->464 467->467
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 011659F1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3901004480.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_1160000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                            • Opcode ID: c9e14b9d5a8bd7adf428617c1e3a7c93e77b31dfb8417c0d1a3eca610e48aea6
                                                                                                                                                                            • Instruction ID: 4ce2fa1cce5d60ac7fe9c9dc0573281df747be3ac64dcfb6d4ab5574964f4324
                                                                                                                                                                            • Opcode Fuzzy Hash: c9e14b9d5a8bd7adf428617c1e3a7c93e77b31dfb8417c0d1a3eca610e48aea6
                                                                                                                                                                            • Instruction Fuzzy Hash: 4141C2B0C00719CBDB68DFA9C884B9DBBF6FF49304F20806AD408AB255DB766945CF91
                                                                                                                                                                            Function 01165935 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 468 1165935-116593c 469 1165944-1165a01 CreateActCtxA 468->469 471 1165a03-1165a09 469->471 472 1165a0a-1165a64 469->472 471->472 479 1165a66-1165a69 472->479 480 1165a73-1165a77 472->480 479->480 481 1165a88 480->481 482 1165a79-1165a85 480->482 484 1165a89 481->484 482->481 484->484
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 011659F1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3901004480.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_1160000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                            • Opcode ID: 44fd8e3db49dda46b4409fef0ffc6bd9ba594e1fbd93db0649b15cbd868cae23
                                                                                                                                                                            • Instruction ID: 58048517c704537e6888cc633f351314a726e76564be04ce00dc88955992bdee
                                                                                                                                                                            • Opcode Fuzzy Hash: 44fd8e3db49dda46b4409fef0ffc6bd9ba594e1fbd93db0649b15cbd868cae23
                                                                                                                                                                            • Instruction Fuzzy Hash: 5D41E3B0C00719CEDB18DFA9C884B9DBBB6FF49304F24806AD418AB254DB766946CF91
                                                                                                                                                                            Function 0116D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 490 116d300-116d394 DuplicateHandle 491 116d396-116d39c 490->491 492 116d39d-116d3ba 490->492 491->492
                                                                                                                                                                            APIs
                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0116D387
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3901004480.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_1160000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                                                            • Opcode ID: 6f1c780df1d85ced1d368ffec6e25a9e53c10f3910b71b7e0c6321128eb80ea0
                                                                                                                                                                            • Instruction ID: 6291cb6c9b115b07c3d4c07ce08dd547b827ed220881eb20e944c0f407ac42d2
                                                                                                                                                                            • Opcode Fuzzy Hash: 6f1c780df1d85ced1d368ffec6e25a9e53c10f3910b71b7e0c6321128eb80ea0
                                                                                                                                                                            • Instruction Fuzzy Hash: D721F5B59002089FDB10CF9AD984AEEFFF9FB48310F14801AE918A3310D379A954CFA4
                                                                                                                                                                            Function 0116D2F9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 485 116d2f9-116d394 DuplicateHandle 486 116d396-116d39c 485->486 487 116d39d-116d3ba 485->487 486->487
                                                                                                                                                                            APIs
                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0116D387
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3901004480.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_1160000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                                                            • Opcode ID: 0ccd4608d28fdda2a4cdc70bd5b67abfc7c577998f0cfcb4e958f8ccd705dab8
                                                                                                                                                                            • Instruction ID: 81c6a921a6e40d19b79cfc6cf25b7b231ff17efb48245a4bc8da95df7c0f23c1
                                                                                                                                                                            • Opcode Fuzzy Hash: 0ccd4608d28fdda2a4cdc70bd5b67abfc7c577998f0cfcb4e958f8ccd705dab8
                                                                                                                                                                            • Instruction Fuzzy Hash: DA21E4B5D002089FDB10CF99D985AEEBBF9FB48310F14841AE918B3310D378AA54CFA0
                                                                                                                                                                            Function 0116B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 495 116b020-116b060 496 116b062-116b065 495->496 497 116b068-116b093 GetModuleHandleW 495->497 496->497 498 116b095-116b09b 497->498 499 116b09c-116b0b0 497->499 498->499
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0116B086
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3901004480.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_1160000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HandleModule
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4139908857-0
                                                                                                                                                                            • Opcode ID: 816c3a56f9d59bbf2d5ddf01c55a3a5fd615643532252ad9bee18b0bcbda4509
                                                                                                                                                                            • Instruction ID: 578f8336c41aee2dec98ddf56703e520afa625eef21cac5bfc20291108ae08f1
                                                                                                                                                                            • Opcode Fuzzy Hash: 816c3a56f9d59bbf2d5ddf01c55a3a5fd615643532252ad9bee18b0bcbda4509
                                                                                                                                                                            • Instruction Fuzzy Hash: CC11DFB6D003498FDB24DF9AC444A9EFBF9AB89310F10841AD929B7210D37AA545CFA5
                                                                                                                                                                            Function 00EAD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3900732213.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_ead000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2087a510a088979e717e89af1b23aaea0ebfeb7d406811f31dae416eb8dce434
                                                                                                                                                                            • Instruction ID: 8e35daa6e48e53fb3a0cdcc69d7bdb37c84a17269ef95e668c563a6fa85c653c
                                                                                                                                                                            • Opcode Fuzzy Hash: 2087a510a088979e717e89af1b23aaea0ebfeb7d406811f31dae416eb8dce434
                                                                                                                                                                            • Instruction Fuzzy Hash: 68213371108204DFDB05DF14C9C0B26BF65FB9D324F20C169E90A5F656C33AF816DAA2
                                                                                                                                                                            Function 00EBD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3900784885.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_ebd000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: de6efd598308365a084d9325947a62e302163ef5d94119fa99b371bed1229861
                                                                                                                                                                            • Instruction ID: 823ea65fbe5cb70af398f78095f8811dfd2d3038266a64a788ee6b0f630ed391
                                                                                                                                                                            • Opcode Fuzzy Hash: de6efd598308365a084d9325947a62e302163ef5d94119fa99b371bed1229861
                                                                                                                                                                            • Instruction Fuzzy Hash: 32212271608200DFCB14EF24D980B67BF66FB88318F20C569D80A5B296D33AD807CAA1
                                                                                                                                                                            Function 00EBD005 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3900784885.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_ebd000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b9d4aa2a313bf95a7aa5aca0bd2419a6bd2e92bd7ab5d47878cc59113a9a4631
                                                                                                                                                                            • Instruction ID: 05112bf310713c93d95f658615d5a0da0037aa48706a20b54c324fabc6ee62d3
                                                                                                                                                                            • Opcode Fuzzy Hash: b9d4aa2a313bf95a7aa5aca0bd2419a6bd2e92bd7ab5d47878cc59113a9a4631
                                                                                                                                                                            • Instruction Fuzzy Hash: 6621837550D3808FCB02DF24D994716BF71EB46314F28C5DAD8498B2A7C33A980ACB62
                                                                                                                                                                            Function 00EAD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3900732213.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_ead000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                                                                                                            • Instruction ID: d572cdb73a6366980b8d3ceef49521a3e6ebc6f014776b39d244b3ad869208dd
                                                                                                                                                                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                                                                                                            • Instruction Fuzzy Hash: A7110376404240CFDB12CF00D9C4B16BF71FB99324F24C6A9D90A0F656C33AE85ACBA2
                                                                                                                                                                            Function 00EAD5F3 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3900732213.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_ead000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 05a34ebcc49766d3a1c1f26c2fc156c683f900fbaaaf3de41ae1461c58bc42ac
                                                                                                                                                                            • Instruction ID: 35def9492080bbf1ff292f91d126c5f1d9ebee7da0d2aba3f4d51be7cf693deb
                                                                                                                                                                            • Opcode Fuzzy Hash: 05a34ebcc49766d3a1c1f26c2fc156c683f900fbaaaf3de41ae1461c58bc42ac
                                                                                                                                                                            • Instruction Fuzzy Hash: 72F0F976200640AF97208F0ADC84C27FBADFFD5774719C55AE84A5B626C671FC41CEA0
                                                                                                                                                                            Function 00EAD5E4 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3900732213.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_ead000_5tCuNr661k.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 04dca8f70745dc9459169da7ce0ef7cab4b9ab15958da3b7eeb61e1aa535ef43
                                                                                                                                                                            • Instruction ID: f446808d9058243991259782eb33a79360aa115aff7b0cf6442ca8abf6cab5b8
                                                                                                                                                                            • Opcode Fuzzy Hash: 04dca8f70745dc9459169da7ce0ef7cab4b9ab15958da3b7eeb61e1aa535ef43
                                                                                                                                                                            • Instruction Fuzzy Hash: F2F03C75104680AFD7158F05CC84C62BFB9EFCA7607198489E88A5B662C671FC42CF60