Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
1rjcA65eoG.exe

Overview

General Information

Sample name:1rjcA65eoG.exe
renamed because original name is a hash value
Original sample name:3fee866de2ecef0d0fbaeb9297be4daf.exe
Analysis ID:1646702
MD5:3fee866de2ecef0d0fbaeb9297be4daf
SHA1:582838d465cce216f7115db662827d47023f4519
SHA256:7f360d2a3373811cb6fbe98bf8217db440b8a1f4c28e35462eded4d7b4b5b60b
Tags:exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
C2 URLs / IPs found in malware configuration
Joe Sandbox ML detected suspicious sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • 1rjcA65eoG.exe (PID: 6484 cmdline: "C:\Users\user\Desktop\1rjcA65eoG.exe" MD5: 3FEE866DE2ECEF0D0FBAEB9297BE4DAF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{
  "C2 url": [
    "185.153.198.36:1912"
  ],
  "Bot Id": "first",
  "Authorization Header": "c74790bd166600f1f665c8ce201776eb"
}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1rjcA65eoG.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    1rjcA65eoG.exeinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
    • 0x24cc3:$gen01: ChromeGetRoamingName
    • 0x24ce8:$gen02: ChromeGetLocalName
    • 0x24d2b:$gen03: get_UserDomainName
    • 0x28bc4:$gen04: get_encrypted_key
    • 0x27943:$gen05: browserPaths
    • 0x27c19:$gen06: GetBrowsers
    • 0x27501:$gen07: get_InstalledInputLanguages
    • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
    • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
    • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
    • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
    • 0x296c2:$spe9: *wallet*
    • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
    • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
    • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
    • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
    • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
    • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
    • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
    • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1045515269.0000000000462000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: 1rjcA65eoG.exe PID: 6484JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Process Memory Space: 1rjcA65eoG.exe PID: 6484JoeSecurity_RedLineYara detected RedLine StealerJoe Security

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.1rjcA65eoG.exe.460000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.0.1rjcA65eoG.exe.460000.0.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
                    • 0x24cc3:$gen01: ChromeGetRoamingName
                    • 0x24ce8:$gen02: ChromeGetLocalName
                    • 0x24d2b:$gen03: get_UserDomainName
                    • 0x28bc4:$gen04: get_encrypted_key
                    • 0x27943:$gen05: browserPaths
                    • 0x27c19:$gen06: GetBrowsers
                    • 0x27501:$gen07: get_InstalledInputLanguages
                    • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
                    • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                    • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
                    • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
                    • 0x296c2:$spe9: *wallet*
                    • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
                    • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
                    • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
                    • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
                    • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
                    • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
                    • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
                    • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-24T08:30:49.165360+010020432341A Network Trojan was detected185.153.198.361912192.168.2.1049683TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-24T08:30:48.957019+010020432311A Network Trojan was detected192.168.2.1049683185.153.198.361912TCP
                    2025-03-24T08:30:54.231043+010020432311A Network Trojan was detected192.168.2.1049683185.153.198.361912TCP
                    2025-03-24T08:30:58.701236+010020432311A Network Trojan was detected192.168.2.1049683185.153.198.361912TCP
                    2025-03-24T08:30:59.953209+010020432311A Network Trojan was detected192.168.2.1049683185.153.198.361912TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-24T08:30:56.830918+010020460561A Network Trojan was detected185.153.198.361912192.168.2.1049683TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-24T08:30:48.957019+010020460451A Network Trojan was detected192.168.2.1049683185.153.198.361912TCP

                    Joe Sandbox Signatures

                    • AV Detection
                    • Compliance
                    • Software Vulnerabilities
                    • Networking
                    • System Summary
                    • Data Obfuscation
                    • Hooking and other Techniques for Hiding and Protection
                    • Malware Analysis System Evasion
                    • Anti Debugging
                    • Language, Device and Operating System Detection
                    • Lowering of HIPS / PFW / Operating System Security Settings
                    • Stealing of Sensitive Information
                    • Remote Access Functionality

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: 1rjcA65eoG.exeMalware Configuration Extractor: RedLine {"C2 url": ["185.153.198.36:1912"], "Bot Id": "first", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                    Source: 1rjcA65eoG.exeReversingLabs: Detection: 75%
                    Source: 1rjcA65eoG.exeVirustotal: Detection: 83%Perma Link
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: 1rjcA65eoG.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 1rjcA65eoG.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 4x nop then jmp 0602AA68h0_2_0602A570
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 4x nop then jmp 06028533h0_2_06028270
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 4x nop then jmp 060280FDh0_2_06027D20
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 4x nop then jmp 060280FDh0_2_06027D30
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 4x nop then jmp 060262BFh0_2_06025B60

                    Networking

                    barindex
                    Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.10:49683 -> 185.153.198.36:1912
                    Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.10:49683 -> 185.153.198.36:1912
                    Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 185.153.198.36:1912 -> 192.168.2.10:49683
                    Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 185.153.198.36:1912 -> 192.168.2.10:49683
                    Source: Malware configuration extractorURLs: 185.153.198.36:1912
                    Source: global trafficTCP traffic: 192.168.2.10:49683 -> 185.153.198.36:1912
                    Source: Joe Sandbox ViewASN Name: RMINJINERINGRU RMINJINERINGRU
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.153.198.36
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1188920272.0000000000FFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmp, 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002960000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmp, 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002960000.00000004.00000800.00020000.00000000.sdmp, 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: 1rjcA65eoG.exeString found in binary or memory: https://api.ip.sb/ip

                    System Summary

                    barindex
                    Source: 1rjcA65eoG.exe, type: SAMPLEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                    Source: 0.0.1rjcA65eoG.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 0_2_00CFDC740_2_00CFDC74
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 0_2_0602C5000_2_0602C500
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 0_2_0602A5700_2_0602A570
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 0_2_0602D2480_2_0602D248
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 0_2_06028DE00_2_06028DE0
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 0_2_060267700_2_06026770
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 0_2_0602740D0_2_0602740D
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 0_2_0602742D0_2_0602742D
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 0_2_060274880_2_06027488
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 0_2_0602220F0_2_0602220F
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 0_2_060222480_2_06022248
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 0_2_060251900_2_06025190
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 0_2_06024C000_2_06024C00
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 0_2_06027D200_2_06027D20
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 0_2_06027D300_2_06027D30
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 0_2_06025B600_2_06025B60
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 0_2_06023BB00_2_06023BB0
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 1rjcA65eoG.exe
                    Source: 1rjcA65eoG.exe, 00000000.00000000.1045548463.00000000004A6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs 1rjcA65eoG.exe
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1188131163.00000000009DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 1rjcA65eoG.exe
                    Source: 1rjcA65eoG.exeBinary or memory string: OriginalFilenameSteanings.exe8 vs 1rjcA65eoG.exe
                    Source: 1rjcA65eoG.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 1rjcA65eoG.exe, type: SAMPLEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                    Source: 0.0.1rjcA65eoG.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@0/1
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeMutant created: NULL
                    Source: 1rjcA65eoG.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 1rjcA65eoG.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002CAD000.00000004.00000800.00020000.00000000.sdmp, 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002D3C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: 1rjcA65eoG.exeReversingLabs: Detection: 75%
                    Source: 1rjcA65eoG.exeVirustotal: Detection: 83%
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: 1rjcA65eoG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 1rjcA65eoG.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: 1rjcA65eoG.exeStatic PE information: 0xD22848DC [Tue Sep 23 12:17:32 2081 UTC]
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeMemory allocated: CF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeMemory allocated: 27E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeMemory allocated: 2610000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeWindow / User API: threadDelayed 2135Jump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeWindow / User API: threadDelayed 5153Jump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exe TID: 7036Thread sleep time: -25825441703193356s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exe TID: 6524Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696501413o
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696501413j
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696501413
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696501413t
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - HKVMware20,11696501413]
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - HKVMware20,11696501413]
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696501413j
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696501413
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696501413t
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.comVMware20,11696501413
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696501413
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696501413
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696501413
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696501413s
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696501413f
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.comVMware20,11696501413
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696501413x
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696501413x
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696501413s
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696501413t
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696501413t
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1188131163.0000000000AB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696501413
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696501413o
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1191863641.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696501413f
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeCode function: 0_2_0602A570 LdrInitializeThunk,0_2_0602A570
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeQueries volume information: C:\Users\user\Desktop\1rjcA65eoG.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: 1rjcA65eoG.exe, 00000000.00000002.1188131163.0000000000A7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 1rjcA65eoG.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.1rjcA65eoG.exe.460000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1045515269.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 1rjcA65eoG.exe PID: 6484, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Users\user\Desktop\1rjcA65eoG.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: Yara matchFile source: 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 1rjcA65eoG.exe PID: 6484, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 1rjcA65eoG.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.1rjcA65eoG.exe.460000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1045515269.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 1rjcA65eoG.exe PID: 6484, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		231
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                    Virtualization/Sandbox Evasion                    		Security Account Manager241
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Obfuscated Files or Information                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets113
                    System Information Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Download Video

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    1rjcA65eoG.exe75%ReversingLabsByteCode-MSIL.Trojan.RedLineStealz
                    1rjcA65eoG.exe84%VirustotalBrowse

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Download Network PCAP: filteredfull

                    Contacted Domains

                    No contacted domains info
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sct1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id23ResponseD1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002960000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id12Response1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id2Response1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmp, 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha11rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id21Response1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id91rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id81rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id51rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id41rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://tempuri.org/Entity/Id71rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://purl.oen1rjcA65eoG.exe, 00000000.00000002.1188920272.0000000000FFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id61rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/Entity/Id19Response1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/fault1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/Entity/Id15Response1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id6Response1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://api.ip.sb/ip1rjcA65eoG.exefalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/04/sc1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/Entity/Id1ResponseD1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://tempuri.org/Entity/Id9Response1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id201rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id211rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id221rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA11rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id231rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA11rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id241rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id24Response1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/Id1Response1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressing1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/trust1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://tempuri.org/Entity/Id101rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://tempuri.org/Entity/Id111rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://tempuri.org/Entity/Id121rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://tempuri.org/Entity/Id16Response1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://tempuri.org/Entity/Id131rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://tempuri.org/Entity/Id141rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://tempuri.org/Entity/Id151rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://tempuri.org/Entity/Id161rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://tempuri.org/Entity/Id171rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://tempuri.org/Entity/Id181rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://tempuri.org/Entity/Id5Response1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://tempuri.org/Entity/Id191rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://tempuri.org/Entity/Id10Response1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/Renew1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://tempuri.org/Entity/Id8Response1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.01rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2006/02/addressingidentity1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://schemas.xmlsoap.org/soap/envelope/1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA11rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          http://tempuri.org/Entity/Id23Response1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmp, 1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              http://tempuri.org/D1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/06/addressingex1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/fault1rjcA65eoG.exe, 00000000.00000002.1189062404.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew1rjcA65eoG.exe, 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high

                                                                                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                                                            Public IPs

                                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                            185.153.198.36
                                                                                                                                                                                                                            		unknownRussian Federation
                                                                                                                                                                                                                            		49877RMINJINERINGRUtrue

                                                                                                                                                                                                                            General Information

                                                                                                                                                                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                                                                            Analysis ID:1646702
                                                                                                                                                                                                                            Start date and time:2025-03-24 08:29:51 +01:00
                                                                                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                            Overall analysis duration:0h 4m 34s
                                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                            Report type:full
                                                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                            Number of analysed new started processes analysed:12
                                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                                            Sample name:1rjcA65eoG.exe
                                                                                                                                                                                                                            renamed because original name is a hash value
                                                                                                                                                                                                                            Original Sample Name:3fee866de2ecef0d0fbaeb9297be4daf.exe
                                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@1/1@0/1
                                                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                                                            • Successful, ratio: 97%
                                                                                                                                                                                                                            • Number of executed functions: 18
                                                                                                                                                                                                                            • Number of non-executed functions: 14
                                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 20.12.23.50, 23.204.23.20, 20.109.210.53
                                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                                                                                                                            Simulations

                                                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                                                            03:30:54API Interceptor37x Sleep call for process: 1rjcA65eoG.exe modified

                                                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                                                            IPs

                                                                                                                                                                                                                            No context

                                                                                                                                                                                                                            Domains

                                                                                                                                                                                                                            No context

                                                                                                                                                                                                                            ASNs

                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                            RMINJINERINGRUsotema_7.txt.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                            • 87.251.71.195
                                                                                                                                                                                                                            HEUR-Trojan.Win32.Agent.gen-7a4df2fc82c0b553d.exeGet hashmaliciousAmadey, PrivateLoader, Raccoon Stealer v2, RedLine, SmokeLoader, VidarBrowse
                                                                                                                                                                                                                            • 87.251.71.195
                                                                                                                                                                                                                            14jxqkI8dt.exeGet hashmaliciousBackstage Stealer, ManusCrypt, PrivateLoader, RedLine, VidarBrowse
                                                                                                                                                                                                                            • 87.251.71.195
                                                                                                                                                                                                                            1ULY9wkde4.exeGet hashmaliciousManusCrypt, PrivateLoader, RedLine, SmokeLoader, VidarBrowse
                                                                                                                                                                                                                            • 87.251.71.195
                                                                                                                                                                                                                            1DCAB4CDFFDF269EA33719990AC81C515345B50FE1C60.exeGet hashmaliciousPrivateLoader, RedLine, VidarBrowse
                                                                                                                                                                                                                            • 87.251.71.195
                                                                                                                                                                                                                            5GBK05PTFO.dllGet hashmaliciousWannacryBrowse
                                                                                                                                                                                                                            • 185.153.199.225
                                                                                                                                                                                                                            e8k60omgBH.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 185.153.198.216

                                                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                                                            No context

                                                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                                                            No context

                                                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1rjcA65eoG.exe.log

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\1rjcA65eoG.exe
                                                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):3094
                                                                                                                                                                                                                            Entropy (8bit):5.33145931749415
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                                                                                                                                                                                                                            MD5:3FD5C0634443FB2EF2796B9636159CB6
                                                                                                                                                                                                                            SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                                                                                                                                                                                                                            SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                                                                                                                                                                                                                            SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                                                            Static File Info

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                            Entropy (8bit):5.0813148099825485
                                                                                                                                                                                                                            TrID:
                                                                                                                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                            File name:1rjcA65eoG.exe
                                                                                                                                                                                                                            File size:307'712 bytes
                                                                                                                                                                                                                            MD5:3fee866de2ecef0d0fbaeb9297be4daf
                                                                                                                                                                                                                            SHA1:582838d465cce216f7115db662827d47023f4519
                                                                                                                                                                                                                            SHA256:7f360d2a3373811cb6fbe98bf8217db440b8a1f4c28e35462eded4d7b4b5b60b
                                                                                                                                                                                                                            SHA512:ad5c05546a15cb2e70c5af7463b7cf58d456f447d7538d0fdf5d75f470b72a3f4a29532bf5c6a3d06ee2ac0ea78922e77687caeb355b1222eb48778bb9ec8c70
                                                                                                                                                                                                                            SSDEEP:3072:GcZqf7D34cp/0+mAYkygYdQ0ghnB1fA0PuTVAtkxzA3R4eqiOL2bBOA:GcZqf7DIknGapB1fA0GTV8kKYL
                                                                                                                                                                                                                            TLSH:31645A5833E8C910DA7F4775D861D67093B0BCA3A552E70B4FC4ACAB3D32740EA51AB6
                                                                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H(...............0.................. ... ....@.. ....................... ............@................................

                                                                                                                                                                                                                            File Icon

                                                                                                                                                                                                                            Icon Hash:4d8ea38d85a38e6d

                                                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Entrypoint:0x43028e
                                                                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                            Time Stamp:0xD22848DC [Tue Sep 23 12:17:32 2081 UTC]
                                                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                                                            OS Version Major:4
                                                                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                                                                            File Version Major:4
                                                                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                                                                            Subsystem Version Major:4
                                                                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                                                                                                                                                            Instruction
                                                                                                                                                                                                                            jmp dword ptr [00402000h]
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x302400x4b.text
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x320000x1c9c6.rsrc
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x500000xc.reloc
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                            Sections

                                                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                            .text0x20000x2e2940x2e400935272b593c1ff27c92a8d07d61251ceFalse0.4747730152027027data6.186111692978325IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                            .rsrc0x320000x1c9c60x1ca00a8cf3f8ff27a4a736ba8fb433d91107fFalse0.2380765556768559data2.615031395625776IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                            .reloc0x500000xc0x20021472a05bd31cf3b960b3bcc0808216bFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                            RT_ICON0x322200x3d04PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9934058898847631
                                                                                                                                                                                                                            RT_ICON0x35f240x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.09013072282030049
                                                                                                                                                                                                                            RT_ICON0x4674c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.13905290505432216
                                                                                                                                                                                                                            RT_ICON0x4a9740x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.17033195020746889
                                                                                                                                                                                                                            RT_ICON0x4cf1c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.2045028142589118
                                                                                                                                                                                                                            RT_ICON0x4dfc40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.24645390070921985
                                                                                                                                                                                                                            RT_GROUP_ICON0x4e42c0x5adata0.7666666666666667
                                                                                                                                                                                                                            RT_VERSION0x4e4880x352data0.4447058823529412
                                                                                                                                                                                                                            RT_MANIFEST0x4e7dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                                                                                                                                                                                                            DLLImport
                                                                                                                                                                                                                            mscoree.dll_CorExeMain
                                                                                                                                                                                                                            DescriptionData
                                                                                                                                                                                                                            Translation0x0000 0x04b0
                                                                                                                                                                                                                            CommentsXHP Booster
                                                                                                                                                                                                                            CompanyName
                                                                                                                                                                                                                            FileDescriptionXHP
                                                                                                                                                                                                                            FileVersion12.9.1.22
                                                                                                                                                                                                                            InternalNameSteanings.exe
                                                                                                                                                                                                                            LegalCopyrightXHP Corporation Copyright 2021
                                                                                                                                                                                                                            LegalTrademarks
                                                                                                                                                                                                                            OriginalFilenameSteanings.exe
                                                                                                                                                                                                                            ProductNameXHP booster
                                                                                                                                                                                                                            ProductVersion12.9.1.22
                                                                                                                                                                                                                            Assembly Version1.1.21.1

                                                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                                                            Download Network PCAP: filteredfull

                                                                                                                                                                                                                            Suricata IDS Alerts

                                                                                                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                            2025-03-24T08:30:48.957019+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.1049683185.153.198.361912TCP
                                                                                                                                                                                                                            2025-03-24T08:30:48.957019+01002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.1049683185.153.198.361912TCP
                                                                                                                                                                                                                            2025-03-24T08:30:49.165360+01002043234ET MALWARE Redline Stealer TCP CnC - Id1Response1185.153.198.361912192.168.2.1049683TCP
                                                                                                                                                                                                                            2025-03-24T08:30:54.231043+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.1049683185.153.198.361912TCP
                                                                                                                                                                                                                            2025-03-24T08:30:56.830918+01002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1185.153.198.361912192.168.2.1049683TCP
                                                                                                                                                                                                                            2025-03-24T08:30:58.701236+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.1049683185.153.198.361912TCP
                                                                                                                                                                                                                            2025-03-24T08:30:59.953209+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.1049683185.153.198.361912TCP
                                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                            Mar 24, 2025 08:30:48.460108995 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:48.666666031 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:48.666770935 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:48.687295914 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:48.893078089 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:48.944261074 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:48.957019091 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:49.165359974 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:49.209870100 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:54.231043100 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:54.437673092 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:54.437690973 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:54.437722921 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:54.437781096 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:54.437793016 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:54.437813044 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:54.437855005 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:56.625428915 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:56.830918074 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:56.830956936 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:56.831047058 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:56.831104994 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:56.831356049 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:56.831413031 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:56.831512928 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:56.831588030 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:56.831795931 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:56.831845045 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.036997080 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.037033081 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.037162066 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.037209988 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.037317038 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.037398100 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.037430048 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.037511110 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.037631989 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.037679911 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.037821054 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.037889957 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.038193941 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.038271904 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.038289070 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.038347006 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.038603067 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.038652897 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.039140940 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.039189100 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.243220091 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.243243933 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.243338108 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.243343115 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.243453979 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.243876934 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.243920088 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.243937969 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.243963003 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.244021893 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.244151115 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.244221926 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.244591951 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.244646072 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.245052099 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.245112896 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.245218992 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.245273113 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.245475054 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.245536089 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.245665073 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.245726109 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.245862007 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.245863914 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.245923996 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.246318102 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.246382952 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.246457100 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.246524096 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.246911049 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.246965885 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.247340918 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.247358084 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.247459888 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.247996092 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.248053074 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.248656034 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.248718977 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.450098038 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.450122118 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.450229883 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.450366974 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.450392962 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.450427055 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.450464010 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.450706959 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.450786114 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.451009989 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.451137066 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.451333046 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.451531887 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.451899052 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.452363968 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.452563047 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.452574968 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.453150034 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.453226089 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.453876019 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.454106092 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.454406977 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.454513073 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.454987049 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.455192089 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.455208063 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.455830097 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.456259966 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.456696033 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.457241058 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.457257032 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.457268953 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.457279921 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.457340002 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.457807064 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.458025932 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.458039999 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.458323002 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.458636999 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.459048986 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.459103107 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.655694962 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.656008959 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.656316042 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.656598091 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.656610966 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.656977892 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.657187939 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.658046007 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.658493042 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.658802986 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.658890009 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.664676905 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.665113926 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.665316105 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.665638924 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.665994883 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.666007042 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.666368961 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.666794062 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.667058945 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.667380095 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.667454958 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.667561054 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.668250084 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.668708086 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.668719053 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.668987036 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.669243097 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.669433117 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.670147896 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.670166016 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.670217991 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.670934916 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.671181917 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.671467066 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.671678066 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.671993971 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.722361088 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.722666979 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.722781897 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.864267111 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.864289045 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.864489079 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.864905119 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.865039110 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.865241051 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.865653992 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.865952015 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.866260052 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.866833925 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.866847992 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.867022991 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.867419958 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.867749929 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.868119955 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.868416071 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.868628025 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.869107008 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.869323969 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.869534016 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.869765997 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.870125055 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.870392084 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.870852947 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.871081114 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.871407032 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.912748098 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.913048029 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.913151979 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.928071022 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.928545952 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.928941011 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.929462910 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.929558039 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.929853916 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.930269957 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.930496931 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.930862904 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.931103945 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.931267977 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.931377888 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.931879997 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.932944059 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.932955027 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.932966948 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.932976007 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.933264017 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.933274984 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.933712959 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.934403896 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.934673071 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.935098886 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.935333014 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.935522079 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.935683966 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.975944996 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.976260900 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:57.976372957 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.118760109 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.118781090 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.118809938 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.118966103 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.119641066 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.119736910 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.120086908 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.120168924 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.120614052 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.120954037 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.121212959 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.121606112 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.122001886 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.122212887 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.122447014 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.122798920 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.122994900 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.123212099 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.123470068 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.123862028 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.123991013 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.124628067 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.124891996 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.125052929 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.125432968 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.125576973 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.166790009 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.167104006 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.167198896 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.182622910 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.182643890 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.182732105 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.182951927 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.182993889 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.183092117 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.183803082 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.183826923 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.184145927 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.184377909 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.185581923 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.185610056 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.185621977 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.185663939 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.185710907 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.186163902 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.186609983 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.187259912 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.187659025 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.188175917 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.188363075 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.188399076 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.188756943 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.188858986 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.189202070 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.189522982 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.230494022 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.230856895 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.230973959 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.372857094 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.372952938 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.373258114 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.373699903 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.373781919 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.374118090 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.374629974 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.374644995 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.374855995 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.374954939 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.375271082 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.375358105 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.375926018 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.376569986 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.376703024 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.377109051 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.377460957 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.377649069 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.377960920 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.378345013 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.378432989 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.378508091 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.378906965 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.379219055 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.379499912 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.379874945 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.421031952 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.421386003 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.436047077 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.436384916 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.436697960 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.436908960 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.437205076 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.437374115 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.438107014 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.438435078 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.438523054 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.438891888 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.439069033 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.439524889 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.439578056 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.439985037 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.441006899 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.441021919 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.441036940 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.441184998 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.441471100 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.441871881 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.442528963 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.442893982 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.443336964 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.443813086 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.443829060 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.443916082 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.485101938 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.626667023 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.626847982 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.627547026 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.627598047 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.627695084 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.627938986 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.628381968 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.628591061 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.628901005 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.629312992 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.629666090 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.629704952 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.630227089 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.630244017 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.630615950 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.630810022 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.631508112 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.676465988 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.700365067 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.701236010 CET496831912192.168.2.10185.153.198.36
                                                                                                                                                                                                                            Mar 24, 2025 08:30:58.963169098 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:59.907150030 CET191249683185.153.198.36192.168.2.10
                                                                                                                                                                                                                            Mar 24, 2025 08:30:59.953208923 CET496831912192.168.2.10185.153.198.36

                                                                                                                                                                                                                            Statistics

                                                                                                                                                                                                                            CPU Usage

                                                                                                                                                                                                                            050100s020406080100

                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                            Memory Usage

                                                                                                                                                                                                                            050100s0.00204060MB

                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                                                                            • File
                                                                                                                                                                                                                            • Registry
                                                                                                                                                                                                                            • Network

                                                                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                                                                            System Behavior

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:0
                                                                                                                                                                                                                            Start time:03:30:44
                                                                                                                                                                                                                            Start date:24/03/2025
                                                                                                                                                                                                                            Path:C:\Users\user\Desktop\1rjcA65eoG.exe
                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\1rjcA65eoG.exe"
                                                                                                                                                                                                                            Imagebase:0x460000
                                                                                                                                                                                                                            File size:307'712 bytes
                                                                                                                                                                                                                            MD5 hash:3FEE866DE2ECEF0D0FBAEB9297BE4DAF
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1045515269.0000000000462000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1189062404.0000000002876000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                            Has exited:true
                                                                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                                                                            File Activities

                                                                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                                                                            Section Activities

                                                                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                                                                            Registry Activities

                                                                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                                                                            COM Activities

                                                                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                                                                            Mutex Activities

                                                                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                                                                            Process Activities

                                                                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                                                                            Thread Activities

                                                                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                                                                            Memory Activities

                                                                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                                                                            System Activities

                                                                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                                                                            Windows UI Activities

                                                                                                                                                                                                                            Network Activities

                                                                                                                                                                                                                            Process Token Activities

                                                                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                                                                                                            Disassembly

                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                            Execution Coverage

                                                                                                                                                                                                                            Dynamic/Packed Code Coverage

                                                                                                                                                                                                                            Signature Coverage

                                                                                                                                                                                                                            Execution Coverage:7.5%
                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                                                                            Total number of Nodes:68
                                                                                                                                                                                                                            Total number of Limit Nodes:8
                                                                                                                                                                                                                            Show Legend
                                                                                                                                                                                                                            Hide Nodes/Edges
                                                                                                                                                                                                                            execution_graph 27893 602ed31 27894 602eccc 27893->27894 27895 602ed3a 27893->27895 27899 602fdd0 27894->27899 27903 602fdc1 27894->27903 27896 602eced 27900 602fe18 27899->27900 27902 602fe21 27900->27902 27907 602f998 27900->27907 27902->27896 27904 602fe18 27903->27904 27905 602fe21 27904->27905 27906 602f998 LoadLibraryW 27904->27906 27905->27896 27906->27905 27908 602ff18 LoadLibraryW 27907->27908 27910 602ff8d 27908->27910 27910->27902 27911 cfd0b8 27912 cfd0fe 27911->27912 27916 cfd289 27912->27916 27920 cfd298 27912->27920 27913 cfd1eb 27917 cfd298 27916->27917 27923 cfc9a0 27917->27923 27921 cfc9a0 DuplicateHandle 27920->27921 27922 cfd2c6 27921->27922 27922->27913 27924 cfd300 DuplicateHandle 27923->27924 27925 cfd2c6 27924->27925 27925->27913 27926 cf4668 27927 cf4684 27926->27927 27928 cf4696 27927->27928 27930 cf47a0 27927->27930 27931 cf47c5 27930->27931 27935 cf48a1 27931->27935 27939 cf48b0 27931->27939 27936 cf48b0 27935->27936 27937 cf49b4 27936->27937 27943 cf4248 27936->27943 27940 cf48d7 27939->27940 27941 cf4248 CreateActCtxA 27940->27941 27942 cf49b4 27940->27942 27941->27942 27944 cf5940 CreateActCtxA 27943->27944 27946 cf5a03 27944->27946 27947 cfad38 27951 cfae2f 27947->27951 27956 cfae30 27947->27956 27948 cfad47 27952 cfae64 27951->27952 27953 cfae41 27951->27953 27952->27948 27953->27952 27954 cfb068 GetModuleHandleW 27953->27954 27955 cfb095 27954->27955 27955->27948 27957 cfae64 27956->27957 27958 cfae41 27956->27958 27957->27948 27958->27957 27959 cfb068 GetModuleHandleW 27958->27959 27960 cfb095 27959->27960 27960->27948 27961 602a3f8 27962 602a418 27961->27962 27964 602a44d 27962->27964 27969 602aba0 27962->27969 27973 602ab91 27962->27973 27963 602a484 27964->27963 27967 602aba0 LdrInitializeThunk 27964->27967 27968 602ab91 LdrInitializeThunk 27964->27968 27967->27964 27968->27964 27970 602abc4 27969->27970 27977 602a570 27970->27977 27974 602aba0 27973->27974 27975 602a570 LdrInitializeThunk 27974->27975 27976 602ac2d 27975->27976 27976->27964 27979 602a5a4 27977->27979 27978 602a677 27978->27964 27979->27978 27980 602a955 LdrInitializeThunk 27979->27980 27980->27979

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 294 602c500-602c541 296 602c543-602c54b 294->296 297 602c54d-602c551 294->297 298 602c556-602c55b 296->298 297->298 299 602c564-602c56d 298->299 300 602c55d-602c562 298->300 301 602c570-602c572 299->301 300->301 302 602c578-602c591 call 602c378 301->302 303 602c8de-602c908 301->303 307 602c593-602c5a3 302->307 308 602c5df-602c5e6 302->308 328 602c90f-602c94f 303->328 309 602c876-602c893 307->309 310 602c5a9-602c5c1 307->310 312 602c5eb-602c5fb 308->312 313 602c5e8 308->313 315 602c89c-602c8a5 309->315 314 602c5c7-602c5ce 310->314 310->315 316 602c60b-602c628 312->316 317 602c5fd-602c609 312->317 313->312 318 602c5d4-602c5de 314->318 319 602c8ad-602c8d7 314->319 315->319 321 602c62c-602c638 316->321 317->321 319->303 322 602c63a-602c63c 321->322 323 602c63e 321->323 326 602c641-602c643 322->326 323->326 327 602c649-602c65e 326->327 326->328 330 602c660-602c66c 327->330 331 602c66e-602c68b 327->331 359 602c956-602c98f 328->359 332 602c68f-602c69b 330->332 331->332 334 602c6a4-602c6ad 332->334 335 602c69d-602c6a2 332->335 337 602c6b0-602c6b2 334->337 335->337 339 602c73a-602c73e 337->339 340 602c6b8-602c6ba call 602c9f8 337->340 343 602c772-602c78a call 602c240 339->343 344 602c740-602c75e 339->344 345 602c6c0-602c6e0 call 602c378 340->345 363 602c78f-602c7b9 call 602c378 343->363 344->343 356 602c760-602c76d call 602c378 344->356 353 602c6e2-602c6ee 345->353 354 602c6f0-602c70d 345->354 357 602c711-602c71d 353->357 354->357 356->307 361 602c726-602c72f 357->361 362 602c71f-602c724 357->362 383 602c994-602c99c 359->383 365 602c732-602c734 361->365 362->365 371 602c7bb-602c7c7 363->371 372 602c7c9-602c7e6 363->372 365->339 365->359 373 602c7ea-602c7f6 371->373 372->373 375 602c7f8-602c7fa 373->375 376 602c7fc 373->376 377 602c7ff-602c801 375->377 376->377 377->307 379 602c807-602c817 377->379 381 602c827-602c844 379->381 382 602c819-602c825 379->382 384 602c848-602c854 381->384 382->384 390 602c99d-602c9f5 383->390 385 602c856-602c85b 384->385 386 602c85d-602c866 384->386 387 602c869-602c86b 385->387 386->387 389 602c871 387->389 387->390 389->302 390->383 397 602c9f7 390->397
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1200601506.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_6020000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: Hzq$Hzq$Hzq$Hzq$Hzq
                                                                                                                                                                                                                            • API String ID: 0-714681391
                                                                                                                                                                                                                            • Opcode ID: 0de4141ca6b2670e19291165995ef7bcdc1955615de4ad50190805e5d01171ec
                                                                                                                                                                                                                            • Instruction ID: 19c9f40e3bc6efa8850a270ebee38182e400b562c49936e0c1cb276c329c4e72
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0de4141ca6b2670e19291165995ef7bcdc1955615de4ad50190805e5d01171ec
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 72F1AF31E04266CFDB99DF74D4502BDFBF2BF85300F24866AD416AB241DB789A85CB90

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 399 602a570-602a5a2 400 602a5a4 399->400 401 602a5a9-602a675 399->401 400->401 406 602a677-602a685 401->406 407 602a68a 401->407 408 602ab38-602ab45 406->408 469 602a690 call 602af26 407->469 470 602a690 call 602afb6 407->470 471 602a690 call 602ae55 407->471 472 602a690 call 602adbd 407->472 409 602a696-602a746 417 602aac7-602aaf1 409->417 419 602aaf7-602ab36 417->419 420 602a74b-602a97f LdrInitializeThunk 417->420 419->408 447 602a987-602a9b7 420->447 449 602a9b9 447->449 450 602a9bf-602a9c1 447->450 451 602a9c3 449->451 452 602a9bb-602a9bd 449->452 453 602a9c8-602a9cf 450->453 451->453 452->450 452->451 454 602a9d1-602aa48 453->454 455 602aa49-602aa6f 453->455 454->455 457 602aa71-602aa7a 455->457 458 602aa7c-602aa88 455->458 460 602aa8e-602aaad 457->460 458->460 464 602aac3-602aac4 460->464 465 602aaaf-602aac2 460->465 464->417 465->464 469->409 470->409 471->409 472->409
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1200601506.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_6020000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: .$1
                                                                                                                                                                                                                            • API String ID: 0-1839485796
                                                                                                                                                                                                                            • Opcode ID: 4b599e75d703e658c03058b116489e01f8201a243eb30e08dd5d101427d233b0
                                                                                                                                                                                                                            • Instruction ID: f0b68cdc3398dda8a474768582077ab2a388206164e075661913731f8ea20162
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4b599e75d703e658c03058b116489e01f8201a243eb30e08dd5d101427d233b0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2CF1DC74E01229CFDB68DF65D984B9DBBB2FF89301F1081AAD509A7290DB359E81CF50

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 569 6028de0-6028e0b 570 6028e12-6028eae 569->570 571 6028e0d 569->571 574 6028f00-6028f3b 570->574 575 6028eb0-6028efa 570->575 571->570 580 602a289-602a2a2 574->580 575->574 583 6028f40-60290cf 580->583 584 602a2a8-602a2ce 580->584 602 602a241-602a25b 583->602 586 602a2d0-602a2dc 584->586 587 602a2dd 584->587 586->587 591 602a2de 587->591 591->591 604 602a261-602a285 602->604 605 60290d4-6029218 602->605 604->580 621 602921a-6029246 605->621 622 602924b-6029292 605->622 625 60292d9-6029490 621->625 628 60292b7-60292c6 622->628 629 6029294-60292b5 622->629 650 60294e2-602955d 625->650 651 6029492-60294dc 625->651 634 60292cc-60292d8 628->634 629->634 634->625 658 60295af-6029629 650->658 659 602955f-60295a9 650->659 651->650 666 602967b-60296cb 658->666 667 602962b-6029675 658->667 659->658 672 60296d1-6029734 666->672 673 6029b44-6029bcb 666->673 667->666 681 6029736 672->681 682 602973b-60298ba call 6028a6c call 6025b60 call 60287f0 call 602714c call 602715c 672->682 685 6029c29-6029ccd 673->685 686 6029bcd-6029c23 673->686 681->682 728 60298c0-6029912 682->728 729 6029b27-6029b43 682->729 702 6029d2b-6029dba 685->702 703 6029ccf-6029d25 685->703 686->685 717 6029e18-6029e9b 702->717 718 6029dbc-6029e12 702->718 703->702 735 6029eed-6029f49 717->735 736 6029e9d-6029ee7 717->736 718->717 739 6029964-60299df 728->739 740 6029914-602995e 728->740 729->673 750 602a07f-602a1dd 735->750 751 6029f4f-602a07e 735->751 736->735 754 6029a31-6029aab 739->754 755 60299e1-6029a2b 739->755 740->739 804 602a1fa-602a200 750->804 751->750 770 6029afd-6029b26 754->770 771 6029aad-6029af7 754->771 755->754 770->729 771->770 805 602a208-602a228 804->805 806 602a240 805->806 807 602a22a-602a23f 805->807 806->602 807->806
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1200601506.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_6020000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: k7$s/
                                                                                                                                                                                                                            • API String ID: 0-3895723279
                                                                                                                                                                                                                            • Opcode ID: 9e79f8609b26fe484a89df31c86d567f48a17d47b5466cb7d3ad42dacf169f6b
                                                                                                                                                                                                                            • Instruction ID: 235d3d6bc3e5fc8e0a98ca8be585217bcb4ef5738fbdb5c0f16d1d9eab0a7254
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9e79f8609b26fe484a89df31c86d567f48a17d47b5466cb7d3ad42dacf169f6b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AAC29EB4A012299FDBA4EF24D998B9DBBB1FF89301F1085E9D409A7354DB346E81CF50
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1200601506.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_6020000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: e911e75eae34b65855251f8dbe1039a34c2ac70896c1757597b4b2592ff0a7ec
                                                                                                                                                                                                                            • Instruction ID: c8721af2ce2584dacf2b49ea017b2a69064e2c1ef7de574a11595a13e04ae8d7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e911e75eae34b65855251f8dbe1039a34c2ac70896c1757597b4b2592ff0a7ec
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9F826C74A502268FDBE5EB28D858B697BF2FF44304F1081E9E8099B396E7709D45CF60

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 1019 cfae30-cfae3f 1020 cfae6b-cfae6f 1019->1020 1021 cfae41-cfae4e call cf9838 1019->1021 1023 cfae83-cfaec4 1020->1023 1024 cfae71-cfae7b 1020->1024 1027 cfae64 1021->1027 1028 cfae50 1021->1028 1030 cfaec6-cfaece 1023->1030 1031 cfaed1-cfaedf 1023->1031 1024->1023 1027->1020 1076 cfae56 call cfb0c8 1028->1076 1077 cfae56 call cfb0b8 1028->1077 1030->1031 1032 cfaf03-cfaf05 1031->1032 1033 cfaee1-cfaee6 1031->1033 1037 cfaf08-cfaf0f 1032->1037 1035 cfaee8-cfaeef call cfa814 1033->1035 1036 cfaef1 1033->1036 1034 cfae5c-cfae5e 1034->1027 1038 cfafa0-cfafb7 1034->1038 1039 cfaef3-cfaf01 1035->1039 1036->1039 1041 cfaf1c-cfaf23 1037->1041 1042 cfaf11-cfaf19 1037->1042 1050 cfafb9-cfb018 1038->1050 1039->1037 1044 cfaf25-cfaf2d 1041->1044 1045 cfaf30-cfaf39 call cfa824 1041->1045 1042->1041 1044->1045 1051 cfaf3b-cfaf43 1045->1051 1052 cfaf46-cfaf4b 1045->1052 1070 cfb01a-cfb060 1050->1070 1051->1052 1053 cfaf4d-cfaf54 1052->1053 1054 cfaf69-cfaf76 1052->1054 1053->1054 1056 cfaf56-cfaf66 call cfa834 call cfa844 1053->1056 1061 cfaf99-cfaf9f 1054->1061 1062 cfaf78-cfaf96 1054->1062 1056->1054 1062->1061 1071 cfb068-cfb093 GetModuleHandleW 1070->1071 1072 cfb062-cfb065 1070->1072 1073 cfb09c-cfb0b0 1071->1073 1074 cfb095-cfb09b 1071->1074 1072->1071 1074->1073 1076->1034 1077->1034
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00CFB086
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1188761419.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_cf0000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: HandleModule
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4139908857-0
                                                                                                                                                                                                                            • Opcode ID: 0185f7a5ed1b64ea4e07ba00a7b65dd3049a46f60475432deeddfe8b48819a23
                                                                                                                                                                                                                            • Instruction ID: 2b08b1d043278bfb4676b924103663492e9ac17c3daed8c22d931afd9667fa88
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0185f7a5ed1b64ea4e07ba00a7b65dd3049a46f60475432deeddfe8b48819a23
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E07156B0A00B098FD764DF69C0407AABBF1FF88304F10892DE15ADBA50DB75E905CB92

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 1078 cf5935-cf593b 1079 cf5944-cf5a01 CreateActCtxA 1078->1079 1081 cf5a0a-cf5a64 1079->1081 1082 cf5a03-cf5a09 1079->1082 1089 cf5a66-cf5a69 1081->1089 1090 cf5a73-cf5a77 1081->1090 1082->1081 1089->1090 1091 cf5a79-cf5a85 1090->1091 1092 cf5a88 1090->1092 1091->1092 1094 cf5a89 1092->1094 1094->1094
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 00CF59F1
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1188761419.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_cf0000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Create
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                                                                            • Opcode ID: 77535f4c9feda11eaae987c5930ebd494fc8e0f8c3fa2534da4fddcf2bd894cf
                                                                                                                                                                                                                            • Instruction ID: d61515440d204d1b5203e1a68c791e174464bddb02f7ba5ba9e41ca893ed4512
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 77535f4c9feda11eaae987c5930ebd494fc8e0f8c3fa2534da4fddcf2bd894cf
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BE4102B0D0061CCFDB24DFA9C984B9DBBB5BF48304F20856AD208BB251DBB56946CF91

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 1095 cf4248-cf5a01 CreateActCtxA 1098 cf5a0a-cf5a64 1095->1098 1099 cf5a03-cf5a09 1095->1099 1106 cf5a66-cf5a69 1098->1106 1107 cf5a73-cf5a77 1098->1107 1099->1098 1106->1107 1108 cf5a79-cf5a85 1107->1108 1109 cf5a88 1107->1109 1108->1109 1111 cf5a89 1109->1111 1111->1111
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 00CF59F1
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1188761419.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_cf0000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Create
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                                                                            • Opcode ID: 442fac95f519c7623413bc26169f703d976fd3bb8f89257dccf81bb3df2cc49e
                                                                                                                                                                                                                            • Instruction ID: 1e972311afc50c0819fc0ceebd1a94ffbb16a437754db089079ca240452052b1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 442fac95f519c7623413bc26169f703d976fd3bb8f89257dccf81bb3df2cc49e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9541E0B0D0061CCBDB24DFA9C984B9DBBB5FF49304F20816AD608BB251DBB56945CF91

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 1112 cfc9a0-cfd394 DuplicateHandle 1114 cfd39d-cfd3ba 1112->1114 1115 cfd396-cfd39c 1112->1115 1115->1114
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00CFD2C6,?,?,?,?,?), ref: 00CFD387
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1188761419.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_cf0000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                                                                                                            • Opcode ID: e0ff5ab792b0c2fa19034acf8e60a00b89a2fb10017bb6b6aa6f8405637b5c8e
                                                                                                                                                                                                                            • Instruction ID: 53961ff614365bd9743c76c2a9d19c0d95780393803005c226b78a261810f0d4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e0ff5ab792b0c2fa19034acf8e60a00b89a2fb10017bb6b6aa6f8405637b5c8e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C821E6B59002489FDB10CF9AD984AEEBFF5EB48314F14801AEA15B3350D374A954CFA5

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 1118 cfd2f9-cfd394 DuplicateHandle 1119 cfd39d-cfd3ba 1118->1119 1120 cfd396-cfd39c 1118->1120 1120->1119
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00CFD2C6,?,?,?,?,?), ref: 00CFD387
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1188761419.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_cf0000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                                                                                                            • Opcode ID: 2e63ca8aff4de773336c6b1d98418885a327f8cf49c1156c03b7cef2370be468
                                                                                                                                                                                                                            • Instruction ID: 30d64a8f31005553b192cf6f0643045fbbf44c6b46fd23a965c1938314b1962d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2e63ca8aff4de773336c6b1d98418885a327f8cf49c1156c03b7cef2370be468
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B621E3B59002499FDB00CFA9D580AEEBBF5AB48314F14801AE958A3250C374A954CF65

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 1123 602f998-602ff58 1125 602ff60-602ff8b LoadLibraryW 1123->1125 1126 602ff5a-602ff5d 1123->1126 1127 602ff94-602ffb1 1125->1127 1128 602ff8d-602ff93 1125->1128 1126->1125 1128->1127
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,0602FE76), ref: 0602FF7E
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1200601506.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_6020000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: LibraryLoad
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1029625771-0
                                                                                                                                                                                                                            • Opcode ID: e04b3045b84ea25e035c1a0089e01d337d3fd93837d104c4f26923f40c83071a
                                                                                                                                                                                                                            • Instruction ID: 1f66f853146c28eb3700a766816a70894b65af19042add3d3e86d3b38d79b7cd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e04b3045b84ea25e035c1a0089e01d337d3fd93837d104c4f26923f40c83071a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DD1142B1C4021A8FCB50CF9AC504B9FFBF4EF88264F10801AE419A7210C3B9A541CFA0
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,0602FE76), ref: 0602FF7E
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1200601506.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_6020000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: LibraryLoad
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1029625771-0
                                                                                                                                                                                                                            • Opcode ID: a1ae2abdade29958aed012f35f5f58145dcd8864540c19a9f47aa9eda47eac9d
                                                                                                                                                                                                                            • Instruction ID: 1a8cec574bb99d49a8570ba54cacff906cc0976168fa9bed269a7f558b78fe18
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a1ae2abdade29958aed012f35f5f58145dcd8864540c19a9f47aa9eda47eac9d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 661123B5C0020A8FCB10CFAAC944B8FFBF4AF88224F10841AD419A7610C379A545CFA1
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00CFB086
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1188761419.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_cf0000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: HandleModule
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4139908857-0
                                                                                                                                                                                                                            • Opcode ID: 2f53fa1c614caaa83ef6b803425005a0f6c7faa4b6d29aef58483a0a9385639b
                                                                                                                                                                                                                            • Instruction ID: 1f05bdb81266f97abca9c42250773342d556b030daa8a9c38214b43e8414369e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2f53fa1c614caaa83ef6b803425005a0f6c7faa4b6d29aef58483a0a9385639b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5611DFB5C007498FCB20CF9AD544B9EFBF4AB88324F10845AD569B7610C7B9AA45CFA1
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1188069442.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9bd000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: abaa2b913b6fb63b561173e26f08edb5e074389f76453a5a59d962f8e46f9590
                                                                                                                                                                                                                            • Instruction ID: 310cacaeb89d07149b2ceae3326a7d9b44f03f27d70ff2cf6683438f8eb55446
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: abaa2b913b6fb63b561173e26f08edb5e074389f76453a5a59d962f8e46f9590
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E7216771504244DFDB25DF14DAC0F66BF65FBC8328F20C569E9090B25AD37AD806CBA2
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1188534164.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_cad000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: ebbac4dc0c143f4373501b88592fe7214cb0b519ca713e6653f0a237a86cf71d
                                                                                                                                                                                                                            • Instruction ID: ea89b75fed12dc3eb65df28500e94c367ac64dde1cbfd12a3741f111c1ae3e4f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ebbac4dc0c143f4373501b88592fe7214cb0b519ca713e6653f0a237a86cf71d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 46212271604205DFDB14DF24D9C0B26BFA1FB89318F20C5A9E90B4B692C33AD807CA62
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1188534164.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_cad000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 61ab3165298c262fde8062bdda8729c6461ed84fa4d0c605c26d16fe3c6bff73
                                                                                                                                                                                                                            • Instruction ID: 095db502f171e9f6f44e5e010b67192ad08193cb164d09c009e464332e91b7ae
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 61ab3165298c262fde8062bdda8729c6461ed84fa4d0c605c26d16fe3c6bff73
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 062183755093808FCB02CF24D590715BF71EB46318F28C5DAD84A8F6A7C33A990ACB62
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1188069442.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9bd000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: da316f5fb5fcf084e9b5f44e6eb1c7c573228ef550d80c07cc5ac7d33c5d7b24
                                                                                                                                                                                                                            • Instruction ID: fe330b88cd23553b7920456d3b36143e54c73733289f06246d6804e2c08803fb
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: da316f5fb5fcf084e9b5f44e6eb1c7c573228ef550d80c07cc5ac7d33c5d7b24
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CE112972504240CFCB15CF10D6C4B56BF71FB84324F24C5A9E8050B25AC336D45ACBA1
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1188069442.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9bd000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: f465f180864d566802ffa59b4566deae7f83d93f5104644be47d0ac02c2e271a
                                                                                                                                                                                                                            • Instruction ID: 993ec5bd314c547fad14bff5c21f4ed1cc0a433d5204a46121b76255d011f1b9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f465f180864d566802ffa59b4566deae7f83d93f5104644be47d0ac02c2e271a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7F01267110E740AAE7108F29CE80BA7BFDCDF51374F18C45AED084A282E6799940CAB1
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1188069442.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9bd000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 07944607f44d19e24c6ff53ee2423a49d9f906af94eb0144e8aa98027d5dfa8d
                                                                                                                                                                                                                            • Instruction ID: 67f18c0f769989834c02ed666025a4aec1c1c994dca0aa0b15552a5593360782
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 07944607f44d19e24c6ff53ee2423a49d9f906af94eb0144e8aa98027d5dfa8d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B9F0C271509340AEE7108E15CD84BA2FFDCEB51338F18C05AED081A296D2799840CAB0

                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1200601506.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_6020000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: $vq$$vq
                                                                                                                                                                                                                            • API String ID: 0-1900141992
                                                                                                                                                                                                                            • Opcode ID: 253c15e1dc8a5292168ffc53af1c5e2ce570784b4b6a760e058852757f9313e7
                                                                                                                                                                                                                            • Instruction ID: cb6faed3ac6e1ed0bf83d246e66cac15b858b6de343cba59d4d790f3862535ca
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 253c15e1dc8a5292168ffc53af1c5e2ce570784b4b6a760e058852757f9313e7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B791E374E01228CFDB58DFA9D584A9DBBF2FF89305F608469E409AB354DB359986CF00
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1200601506.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_6020000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 18031a969b0e91c88f8bf5f47ccc164af0889475fabeb65ef8f24b223898cfc2
                                                                                                                                                                                                                            • Instruction ID: 30ece121095f7d70498f68c8bc559865d560c3d39c9dbaa53e43d67f7921b9d1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 18031a969b0e91c88f8bf5f47ccc164af0889475fabeb65ef8f24b223898cfc2
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8F428F74E012298FDB68DF65C994BDEBBB2BF49301F1085E9D409AB261DB349E81CF50
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1200601506.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_6020000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: a493efbcdf390b82a02c06ecd6ba6f0071936d119f44d291fde3f8483b18d79d
                                                                                                                                                                                                                            • Instruction ID: edfe5f454fa3c33451284adc71591ebf1e3a61638cffeecd5351e4d4e0b5a2fd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a493efbcdf390b82a02c06ecd6ba6f0071936d119f44d291fde3f8483b18d79d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1F227E74E012298FDBA5DF64C994BDDBBB1AF89300F1085EAD509A7250EB319EC5CF90
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1200601506.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_6020000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: d3d2932539fbd1c0c41539252c57d9ec9b1e9037410abcc8e8ac342b71df85fc
                                                                                                                                                                                                                            • Instruction ID: 41dd74aab853f5f1e040d1da9f2c9e68a9703658509e798dbd4e8b62e3f2df52
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d3d2932539fbd1c0c41539252c57d9ec9b1e9037410abcc8e8ac342b71df85fc
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B2224974E012298FDB64DF68C994BDEBBB2AF49300F1085EAD509AB350DB319E85CF51
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1200601506.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_6020000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: e83bd303cc239d7f0bd1b488840b40da95a31676ba764375c6293ef9e24f93f5
                                                                                                                                                                                                                            • Instruction ID: f87173a89c71b1fcb97628ed7047933704518c0aa518a890711179008d7d1a7d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e83bd303cc239d7f0bd1b488840b40da95a31676ba764375c6293ef9e24f93f5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C102A074A01229CFDB69DF64C994B9EBBB2BF89300F1085E9D409A7350DB71AE85CF50
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1200601506.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_6020000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: c33b2397c9b77e7755e25d44e4bbefd80e9890dee670bad7fccac73c18b7a279
                                                                                                                                                                                                                            • Instruction ID: cb1d3aac0133cfad04ec16930becdfad62e9008f2d64ba071fb6aae1eafd7845
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c33b2397c9b77e7755e25d44e4bbefd80e9890dee670bad7fccac73c18b7a279
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B9C171B4E01218CFDB58DFA9D890ADDBBB2BF89300F2085AAD419AB354DB345D85CF50
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1188761419.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_cf0000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: d9aa2d164eae876bbd42100bb655b0a0406cf064dca7544b60e7ba4788061f5d
                                                                                                                                                                                                                            • Instruction ID: d5e5806433e559306136c4d1d530e1656e21f6c4b06a976234f77e85ccb0f40e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d9aa2d164eae876bbd42100bb655b0a0406cf064dca7544b60e7ba4788061f5d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 60A18D36E002098FCF05DFA4D8405EEB7B2FF84300B15457AEA06AB265DB71EE16DB91
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1200601506.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_6020000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 0e1db4c9f1a204f85d9f466603849df640253ff409329b751f7999b8312d68ab
                                                                                                                                                                                                                            • Instruction ID: ea28161a7810b8a346530ee69a92c029d5e178f6a2c5f235d83df96baf0003ca
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0e1db4c9f1a204f85d9f466603849df640253ff409329b751f7999b8312d68ab
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3DD1F531D2075A8ACB14EBA4D994A99B771FF95300F50CB9AE10A7B254FF706AC4CB81
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1200601506.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_6020000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: c878b3a40d0ebd20c5a79019279889c3956e907274abcd86de3c845fdfc3708e
                                                                                                                                                                                                                            • Instruction ID: 7091ee529dc10b970ca1c16e36d7e36b912de68d54b228b4c68c260303087d49
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c878b3a40d0ebd20c5a79019279889c3956e907274abcd86de3c845fdfc3708e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 00D11531D2075ACACB04EBA4D994699B771FF95300F60CB9AE14A7B215EF706EC4CB81
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1200601506.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_6020000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 7ca037a1afee16659eeda6be7689d9d8d97b53421e5a885aaed0e49423af830e
                                                                                                                                                                                                                            • Instruction ID: ec5f1c0e8c2e5e170cdf2cf09e603755bf263744245ad857ae1b1864336ca383
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7ca037a1afee16659eeda6be7689d9d8d97b53421e5a885aaed0e49423af830e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 67C17374E01219CFDB58DFA9D890B9DBBB2BF89300F1085AAD419AB354DB345D85CF50
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1200601506.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_6020000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: e39853263f6b24851ff989ec8db9f2af82bc8fa246cd7a85161b3b1e626134de
                                                                                                                                                                                                                            • Instruction ID: a1f6e7dc274e8624e66a3f1b4c248a151936b3eeab1f357494c0e862f52f9473
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e39853263f6b24851ff989ec8db9f2af82bc8fa246cd7a85161b3b1e626134de
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 83B1B474E01229CFDB64DF69C984B9DBBB2BF89300F1085AAD409A7351DB309D85CF50
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1200601506.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_6020000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 34d1c373d010eb7a70057e5e498e27b13f931a1c8272befee88c365c0416fbf6
                                                                                                                                                                                                                            • Instruction ID: cebd6f4aea55bf28e1810a3b7073e4f2fa20e5ab382f639455d0d4843f9ca126
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 34d1c373d010eb7a70057e5e498e27b13f931a1c8272befee88c365c0416fbf6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9491D574D01229DFDBA4DF69D990B9DBBB2BF49304F1081A9D409A7351DB306E89CF50
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1200601506.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_6020000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 857518c39feadad4ad097142771746da49720acb311870ba4b90fa7a4fbc1c8d
                                                                                                                                                                                                                            • Instruction ID: d1a41812618f031102e289192cf13d6dc44ab1e25b496cae363f6152d786c834
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 857518c39feadad4ad097142771746da49720acb311870ba4b90fa7a4fbc1c8d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8B416F71D053658FEB1ACF6AC8503DEBFB2AF86310F14C0AAC458AB252DB745949CF51
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1200601506.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_6020000_1rjcA65eoG.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: e2f9d28bbe872c279fa1edbe21941e529f433fafac524e9aefaeabf39b2776fa
                                                                                                                                                                                                                            • Instruction ID: 83403d1de9cd290079041c4fa724481eebe1c9ca7b0904a9704081934b488c6d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e2f9d28bbe872c279fa1edbe21941e529f433fafac524e9aefaeabf39b2776fa
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BA414D71D053698FEB19DF7AC8503DEBFB2AF86210F14C0AAC858AB252DB744949CF51