Create Interactive Tour

Windows Analysis Report
sotema_7.txt.exe

Overview

General Information

Sample Name:sotema_7.txt.exe
Analysis ID:789378
MD5:b0486bfc2e579b49b0cacee12c52469c
SHA1:ac6eb40cc66eddd0589eb940e6a6ce06b00c7d30
SHA256:9057ba81960258a882dee4335d947f499adabfc59bfd99e2b5f56b508a01fbe2
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Generic Downloader
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Uses an obfuscated file name to hide its real file extension (double extension)
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Binary contains a suspicious time stamp
Detected potential crypto function
Yara detected Credential Stealer
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • sotema_7.txt.exe (PID: 5560 cmdline: C:\Users\user\Desktop\sotema_7.txt.exe MD5: B0486BFC2E579B49B0CACEE12C52469C)
    • conhost.exe (PID: 5536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sotema_7.txt.exe (PID: 5136 cmdline: C:\Users\user\Desktop\sotema_7.txt.exe MD5: B0486BFC2E579B49B0CACEE12C52469C)
  • cleanup
{
  "C2 url": "87.251.71.195:82",
  "Bot Id": "ServAni"
}
SourceRuleDescriptionAuthorStrings
sotema_7.txt.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x2d75:$v4_2: isWow64
  • 0x39d9:$v4_4: stringKey
  • 0x35c5:$v4_7: xoredString
  • 0x335c:$v4_8: procName
  • 0x31c8:$v4_9: base64EncodedData
SourceRuleDescriptionAuthorStrings
00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
      • 0x1614c:$a2: https://ipinfo.io/ip%appdata%\
      • 0x1686c:$a3: Software\Valve\SteamLogin Data
      • 0x1217d:$a4: get_ScannedWallets
      • 0x1111f:$a5: get_ScanTelegram
      • 0x11e06:$a6: get_ScanGeckoBrowsersPaths
      • 0xfdc5:$a7: <Processes>k__BackingField
      • 0xdd7e:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
      • 0xf6f9:$a9: <ScanFTP>k__BackingField
      00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmpSUSP_Double_Base64_Encoded_ExecutableDetects an executable that has been encoded with base64 twiceFlorian Roth
      • 0x5a068:$: VFZxUUFBT
      00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        Click to see the 9 entries
        SourceRuleDescriptionAuthorStrings
        0.2.sotema_7.txt.exe.420d900.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          0.2.sotema_7.txt.exe.420d900.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.sotema_7.txt.exe.420d900.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
            • 0xda4b:$u7: RunPE
            • 0x10dd6:$u8: DownloadAndEx
            • 0x15454:$pat14: , CommandLine:
            • 0x1045b:$v2_1: ListOfProcesses
            • 0xdc23:$v2_2: get_ScanVPN
            • 0xdcc6:$v2_2: get_ScanFTP
            • 0xe972:$v2_2: get_ScanDiscord
            • 0xf903:$v2_2: get_ScanSteam
            • 0xf91f:$v2_2: get_ScanTelegram
            • 0xf9d4:$v2_2: get_ScanScreen
            • 0x105ce:$v2_2: get_ScanChromeBrowsersPaths
            • 0x10606:$v2_2: get_ScanGeckoBrowsersPaths
            • 0x108cb:$v2_2: get_ScanBrowsers
            • 0x1097d:$v2_2: get_ScannedWallets
            • 0x109a3:$v2_2: get_ScanWallets
            • 0x109c3:$v2_3: GetArguments
            • 0x13b56:$v2_3: GetArguments
            • 0xf1db:$v2_4: VerifyUpdate
            • 0x13ba4:$v2_4: VerifyUpdate
            • 0x10c6d:$v2_5: VerifyScanRequest
            • 0x13b6f:$v2_5: VerifyScanRequest
            0.2.sotema_7.txt.exe.420d900.0.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
            • 0x1494c:$a2: https://ipinfo.io/ip%appdata%\
            • 0x1506c:$a3: Software\Valve\SteamLogin Data
            • 0x1097d:$a4: get_ScannedWallets
            • 0xf91f:$a5: get_ScanTelegram
            • 0x10606:$a6: get_ScanGeckoBrowsersPaths
            • 0xe5c5:$a7: <Processes>k__BackingField
            • 0xc57e:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
            • 0xdef9:$a9: <ScanFTP>k__BackingField
            0.2.sotema_7.txt.exe.420d900.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 10 entries
              No Sigma rule has matched
              No Snort rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: sotema_7.txt.exeAvira: detected
              Source: sotema_7.txt.exeReversingLabs: Detection: 76%
              Source: sotema_7.txt.exeVirustotal: Detection: 73%Perma Link
              Source: sotema_7.txt.exeJoe Sandbox ML: detected
              Source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "87.251.71.195:82", "Bot Id": "ServAni"}
              Source: sotema_7.txt.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: sotema_7.txt.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: (PZoHC:\Windows\System.ServiceModel.pdb source: sotema_7.txt.exe, 00000002.00000002.514498917.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp

              Networking

              barindex
              Source: Yara matchFile source: 0.2.sotema_7.txt.exe.420d900.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.sotema_7.txt.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Malware configuration extractorURLs: 87.251.71.195:82
              Source: global trafficTCP traffic: 192.168.2.6:49714 -> 87.251.71.195:82
              Source: Joe Sandbox ViewASN Name: RMINJINERINGRU RMINJINERINGRU
              Source: Joe Sandbox ViewIP Address: 87.251.71.195 87.251.71.195
              Source: unknownTCP traffic detected without corresponding DNS query: 87.251.71.195
              Source: unknownTCP traffic detected without corresponding DNS query: 87.251.71.195
              Source: unknownTCP traffic detected without corresponding DNS query: 87.251.71.195
              Source: unknownTCP traffic detected without corresponding DNS query: 87.251.71.195
              Source: unknownTCP traffic detected without corresponding DNS query: 87.251.71.195
              Source: unknownTCP traffic detected without corresponding DNS query: 87.251.71.195
              Source: unknownTCP traffic detected without corresponding DNS query: 87.251.71.195
              Source: unknownTCP traffic detected without corresponding DNS query: 87.251.71.195
              Source: unknownTCP traffic detected without corresponding DNS query: 87.251.71.195
              Source: unknownTCP traffic detected without corresponding DNS query: 87.251.71.195
              Source: unknownTCP traffic detected without corresponding DNS query: 87.251.71.195
              Source: unknownTCP traffic detected without corresponding DNS query: 87.251.71.195
              Source: unknownTCP traffic detected without corresponding DNS query: 87.251.71.195
              Source: unknownTCP traffic detected without corresponding DNS query: 87.251.71.195
              Source: unknownTCP traffic detected without corresponding DNS query: 87.251.71.195
              Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.251.71.195:82
              Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.251.71.195:82/
              Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.251.71.195:824
              Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
              Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
              Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0#
              Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
              Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
              Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
              Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
              Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
              Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
              Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/0D
              Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/
              Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D09000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetArguments
              Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetArgumentsResponse
              Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
              Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
              Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequest
              Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequestResponse
              Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
              Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
              Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
              Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
              Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy
              Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
              Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: sotema_7.txt.exe, 00000000.00000002.256471096.0000000001559000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary

              barindex
              Source: sotema_7.txt.exe, type: SAMPLEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.2.sotema_7.txt.exe.420d900.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.2.sotema_7.txt.exe.420d900.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
              Source: 0.2.sotema_7.txt.exe.420d900.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.2.sotema_7.txt.exe.420d900.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
              Source: 2.2.sotema_7.txt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 2.2.sotema_7.txt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
              Source: 0.0.sotema_7.txt.exe.df0000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
              Source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
              Source: Process Memory Space: sotema_7.txt.exe PID: 5560, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
              Source: Process Memory Space: sotema_7.txt.exe PID: 5136, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
              Source: sotema_7.txt.exe, SystemServiceModelHostNameComparisonModeHelper19984.csLong String: Length: 183690
              Source: 0.0.sotema_7.txt.exe.df0000.0.unpack, SystemServiceModelHostNameComparisonModeHelper19984.csLong String: Length: 183690
              Source: sotema_7.txt.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: sotema_7.txt.exe, type: SAMPLEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.2.sotema_7.txt.exe.420d900.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.2.sotema_7.txt.exe.420d900.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
              Source: 0.2.sotema_7.txt.exe.420d900.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.2.sotema_7.txt.exe.420d900.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
              Source: 2.2.sotema_7.txt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 2.2.sotema_7.txt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
              Source: 0.0.sotema_7.txt.exe.df0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
              Source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
              Source: Process Memory Space: sotema_7.txt.exe PID: 5560, type: MEMORYSTRMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: Process Memory Space: sotema_7.txt.exe PID: 5560, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
              Source: Process Memory Space: sotema_7.txt.exe PID: 5136, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
              Source: sotema_7.txt.exe, 00000000.00000002.256471096.0000000001559000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs sotema_7.txt.exe
              Source: sotema_7.txt.exe, 00000000.00000000.248446579.0000000000E52000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSpiremes.exe4 vs sotema_7.txt.exe
              Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDiazoes.exe4 vs sotema_7.txt.exe
              Source: sotema_7.txt.exe, 00000002.00000002.514028611.000000000041A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDiazoes.exe4 vs sotema_7.txt.exe
              Source: sotema_7.txt.exeBinary or memory string: OriginalFilenameSpiremes.exe4 vs sotema_7.txt.exe
              Source: C:\Users\user\Desktop\sotema_7.txt.exeCode function: 2_2_011CD5E82_2_011CD5E8
              Source: C:\Users\user\Desktop\sotema_7.txt.exeCode function: 2_2_011CCCF02_2_011CCCF0
              Source: sotema_7.txt.exeReversingLabs: Detection: 76%
              Source: sotema_7.txt.exeVirustotal: Detection: 73%
              Source: sotema_7.txt.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\sotema_7.txt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: sotema_7.txt.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\sotema_7.txt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\sotema_7.txt.exe C:\Users\user\Desktop\sotema_7.txt.exe
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess created: C:\Users\user\Desktop\sotema_7.txt.exe C:\Users\user\Desktop\sotema_7.txt.exe
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess created: C:\Users\user\Desktop\sotema_7.txt.exe C:\Users\user\Desktop\sotema_7.txt.exeJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
              Source: sotema_7.txt.exe, SystemServiceModelHostNameComparisonModeHelper19984.csBase64 encoded string: 'VoftWinSafeHandlesSafeProcessHandle73115FZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFnQUFBQUE0ZnVnNEF0QW5OSWJnQlRNMGhWR2hwY3lCd2NtOW5jbUZ0SUdOaGJtNXZkQ0JpWlNCeWRXNGdhVzRnUkU5VElHMXZaR1V1RFEwS0pBQUFBQUFBQUFCUVJRQUFUQUVEQVBrMkxNY0FBQUFBQUFBQUFPQUFBZ0VMQVRBQUFIQUJBQUFNQUFBQUFBQUFKbjhCQUFBZ0FBQUFvQUVBQUFCQUFBQWdBQUFBQkFBQUJBQUFBQUFBQUFBRUFBQUFBQUFBQUFEZ0FRQUFCQUFBc3dFQ0FBSUFRSVVBQUJBQUFCQUFBQUFBRUFBQUVBQUFBQUFBQUJBQUFBQUFBQUFBQUFBQUFOUitBUUJQQUFBQUFLQUJBTlFFQUFBQUFBQUFBQUFBQUFDQUFRQndFd0FBQU1BQkFBd0FBQUM0ZmdFQUhBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUlBQUFDQUFBQUFBQUFBQUFBQUFBQ0NBQUFFZ0FBQUFBQUFBQUFBQUFBQzUwWlhoMEFBQUEzR3dCQUFBZ0FBQUFjQUVBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQ0FBQUdBdWNuTnlZd0FBQU5RRUFBQUFvQUVBQUFnQUFBQjBBUUFBQUFBQUFBQUFBQUFBQUFCQUFBQkFMbkpsYkc5akFBQU1BQUFBQU1BQkFBQUVBQUFBZkFFQUFBQUFBQUFBQUFBQUFBQUFRQUFBUWdBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQWgvQVFBQUFBQUFTQUFBQUFJQUJRQWtvd0FBbE5zQUFBTUFBQUF6QUFBR0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFHekFKQVB3Q0FBQUJBQUFSY3c4QUFBb0tBbjREQVFBRUpTMFhKbjRDQVFBRS9nYkFBUUFHY3hBQUFBb2xnQU1CQUFRb0FRQUFLMjhTQUFBS0N6aW9BZ0FBQjI4VEFBQUtGeGNaalVZQUFBRWxGaDhLalVjQUFBRWwwT0lBQUFRb0ZBQUFDbk1WQUFBS29pVVhIbzFIQUFBQkpkRGFBQUFFS0JRQUFBcHpGUUFBQ3FJbEdCMk5Sd0FBQVNYUTN3QUFCQ2dVQUFBS2N4VUFBQXFpS01nQUFBWnZGZ0FBQ2d3NElnSUFBQklDS0JjQUFBb05jN2tCQUFZVEJIUHlBQUFHRXdVUkJINFlBQUFLZlFFQkFBUitHQUFBQ2hNR0VRUUpjeGtBQUFvb0dnQUFDbThiQUFBS2ZRRUJBQVFSQkhzQkFRQUVIdytOUndBQUFTWFE2Z0FBQkNnVUFBQUtjeFVBQUFwdkhBQUFDaXdhSG8xSEFBQUJKZERWQUFBRUtCUUFBQXB6RlFBQUNoTUdLMDhKSHo2TlJ3QUFBU1hRb2dBQUJDZ1VBQUFLY3hVQUFBcHlBUUFBY0g0WUFBQUtLQjBBQUFvb0hnQUFDbThjQUFBS0xRNFJCSHNCQVFBRUtNc0FBQVlyREJFRWV3RUJBQVFveWdBQUJoTUdFUVlvSHdBQUNqb3lBUUFBRVFZV2J5QUFBQW9UQ0JJSUtDRUFBQXB2SWdBQUNoRUdGaGR2SXdBQUNpZ2tBQUFLRXdZUkJIc0JBUUFFS01rQUFBWVRCeEVIS0I4QUFBbzY4Z0FBQUJFRkVRWnY1Z0FBQmhFRkVRZHY2QUFBQmhFRkVRVCtCcm9CQUFaekpRQUFDbjRFQVFBRUpTMFhKbjRDQVFBRS9nYkJBUUFHY3lZQUFBb2xnQVFCQUFRb0FnQUFLMi9xQUFBR0VRVVJCUDRHdXdFQUJuTW5BQUFLZmdVQkFBUWxMUmNtZmdJQkFBVCtCc0lC
              Source: 0.0.sotema_7.txt.exe.df0000.0.unpack, SystemServiceModelHostNameComparisonModeHelper19984.csBase64 encoded string: 'VoftWinSafeHandlesSafeProcessHandle73115FZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFnQUFBQUE0ZnVnNEF0QW5OSWJnQlRNMGhWR2hwY3lCd2NtOW5jbUZ0SUdOaGJtNXZkQ0JpWlNCeWRXNGdhVzRnUkU5VElHMXZaR1V1RFEwS0pBQUFBQUFBQUFCUVJRQUFUQUVEQVBrMkxNY0FBQUFBQUFBQUFPQUFBZ0VMQVRBQUFIQUJBQUFNQUFBQUFBQUFKbjhCQUFBZ0FBQUFvQUVBQUFCQUFBQWdBQUFBQkFBQUJBQUFBQUFBQUFBRUFBQUFBQUFBQUFEZ0FRQUFCQUFBc3dFQ0FBSUFRSVVBQUJBQUFCQUFBQUFBRUFBQUVBQUFBQUFBQUJBQUFBQUFBQUFBQUFBQUFOUitBUUJQQUFBQUFLQUJBTlFFQUFBQUFBQUFBQUFBQUFDQUFRQndFd0FBQU1BQkFBd0FBQUM0ZmdFQUhBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUlBQUFDQUFBQUFBQUFBQUFBQUFBQ0NBQUFFZ0FBQUFBQUFBQUFBQUFBQzUwWlhoMEFBQUEzR3dCQUFBZ0FBQUFjQUVBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQ0FBQUdBdWNuTnlZd0FBQU5RRUFBQUFvQUVBQUFnQUFBQjBBUUFBQUFBQUFBQUFBQUFBQUFCQUFBQkFMbkpsYkc5akFBQU1BQUFBQU1BQkFBQUVBQUFBZkFFQUFBQUFBQUFBQUFBQUFBQUFRQUFBUWdBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQWgvQVFBQUFBQUFTQUFBQUFJQUJRQWtvd0FBbE5zQUFBTUFBQUF6QUFBR0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFHekFKQVB3Q0FBQUJBQUFSY3c4QUFBb0tBbjREQVFBRUpTMFhKbjRDQVFBRS9nYkFBUUFHY3hBQUFBb2xnQU1CQUFRb0FRQUFLMjhTQUFBS0N6aW9BZ0FBQjI4VEFBQUtGeGNaalVZQUFBRWxGaDhLalVjQUFBRWwwT0lBQUFRb0ZBQUFDbk1WQUFBS29pVVhIbzFIQUFBQkpkRGFBQUFFS0JRQUFBcHpGUUFBQ3FJbEdCMk5Sd0FBQVNYUTN3QUFCQ2dVQUFBS2N4VUFBQXFpS01nQUFBWnZGZ0FBQ2d3NElnSUFBQklDS0JjQUFBb05jN2tCQUFZVEJIUHlBQUFHRXdVUkJINFlBQUFLZlFFQkFBUitHQUFBQ2hNR0VRUUpjeGtBQUFvb0dnQUFDbThiQUFBS2ZRRUJBQVFSQkhzQkFRQUVIdytOUndBQUFTWFE2Z0FBQkNnVUFBQUtjeFVBQUFwdkhBQUFDaXdhSG8xSEFBQUJKZERWQUFBRUtCUUFBQXB6RlFBQUNoTUdLMDhKSHo2TlJ3QUFBU1hRb2dBQUJDZ1VBQUFLY3hVQUFBcHlBUUFBY0g0WUFBQUtLQjBBQUFvb0hnQUFDbThjQUFBS0xRNFJCSHNCQVFBRUtNc0FBQVlyREJFRWV3RUJBQVFveWdBQUJoTUdFUVlvSHdBQUNqb3lBUUFBRVFZV2J5QUFBQW9UQ0JJSUtDRUFBQXB2SWdBQUNoRUdGaGR2SXdBQUNpZ2tBQUFLRXdZUkJIc0JBUUFFS01rQUFBWVRCeEVIS0I4QUFBbzY4Z0FBQUJFRkVRWnY1Z0FBQmhFRkVRZHY2QUFBQmhFRkVRVCtCcm9CQUFaekpRQUFDbjRFQVFBRUpTMFhKbjRDQVFBRS9nYkJBUUFHY3lZQUFBb2xnQVFCQUFRb0FnQUFLMi9xQUFBR0VRVVJCUDRHdXdFQUJuTW5BQUFLZmdVQkFBUWxMUmNtZmdJQkFBVCtCc0lC
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5536:120:WilError_01
              Source: C:\Users\user\Desktop\sotema_7.txt.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sotema_7.txt.exe.logJump to behavior
              Source: classification engineClassification label: mal92.troj.evad.winEXE@4/1@0/1
              Source: sotema_7.txt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: sotema_7.txt.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: sotema_7.txt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: (PZoHC:\Windows\System.ServiceModel.pdb source: sotema_7.txt.exe, 00000002.00000002.514498917.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp
              Source: sotema_7.txt.exeStatic PE information: 0xB8BCC0EF [Mon Mar 19 10:18:23 2068 UTC]

              Hooking and other Techniques for Hiding and Protection

              barindex
              Source: Possible double extension: txt.exeStatic PE information: sotema_7.txt.exe
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exe TID: 5140Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeProcess created: C:\Users\user\Desktop\sotema_7.txt.exe C:\Users\user\Desktop\sotema_7.txt.exeJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeQueries volume information: C:\Users\user\Desktop\sotema_7.txt.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeQueries volume information: C:\Users\user\Desktop\sotema_7.txt.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\sotema_7.txt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 0.2.sotema_7.txt.exe.420d900.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.sotema_7.txt.exe.420d900.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.sotema_7.txt.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: sotema_7.txt.exe PID: 5560, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: sotema_7.txt.exe PID: 5136, type: MEMORYSTR
              Source: Yara matchFile source: 0.2.sotema_7.txt.exe.420d900.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.sotema_7.txt.exe.420d900.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.sotema_7.txt.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: sotema_7.txt.exe PID: 5560, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: sotema_7.txt.exe PID: 5136, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 0.2.sotema_7.txt.exe.420d900.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.sotema_7.txt.exe.420d900.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.sotema_7.txt.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: sotema_7.txt.exe PID: 5560, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: sotema_7.txt.exe PID: 5136, type: MEMORYSTR
              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath Interception11
              Process Injection
              11
              Masquerading
              1
              Input Capture
              21
              Virtualization/Sandbox Evasion
              Remote Services1
              Input Capture
              Exfiltration Over Other Network Medium1
              Encrypted Channel
              Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Disable or Modify Tools
              LSASS Memory12
              System Information Discovery
              Remote Desktop Protocol1
              Archive Collected Data
              Exfiltration Over Bluetooth1
              Non-Standard Port
              Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
              Virtualization/Sandbox Evasion
              Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
              Application Layer Protocol
              Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
              Process Injection
              NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Timestomp
              LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common11
              Obfuscated Files or Information
              Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 789378 Sample: sotema_7.txt.exe Startdate: 23/01/2023 Architecture: WINDOWS Score: 92 18 Malicious sample detected (through community Yara rule) 2->18 20 Antivirus / Scanner detection for submitted sample 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 6 other signatures 2->24 6 sotema_7.txt.exe 2 2->6         started        process3 file4 14 C:\Users\user\...\sotema_7.txt.exe.log, ASCII 6->14 dropped 9 sotema_7.txt.exe 15 2 6->9         started        12 conhost.exe 6->12         started        process5 dnsIp6 16 87.251.71.195, 82 RMINJINERINGRU Russian Federation 9->16

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              sotema_7.txt.exe77%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
              sotema_7.txt.exe74%VirustotalBrowse
              sotema_7.txt.exe100%AviraHEUR/AGEN.1235110
              sotema_7.txt.exe100%Joe Sandbox ML
              No Antivirus matches
              SourceDetectionScannerLabelLinkDownload
              0.0.sotema_7.txt.exe.df0000.0.unpack100%AviraHEUR/AGEN.1235110Download File
              2.2.sotema_7.txt.exe.400000.0.unpack100%AviraHEUR/AGEN.1234957Download File
              No Antivirus matches
              SourceDetectionScannerLabelLink
              https://sectigo.com/CPS00%URL Reputationsafe
              http://tempuri.org/Endpoint/GetArguments0%URL Reputationsafe
              https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%URL Reputationsafe
              http://tempuri.org/0%URL Reputationsafe
              http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
              http://tempuri.org/0D0%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
              http://tempuri.org/Endpoint/VerifyUpdateResponse0%URL Reputationsafe
              http://ocsp.sectigo.com0#0%URL Reputationsafe
              http://tempuri.org/Endpoint/GetArgumentsResponse0%URL Reputationsafe
              http://tempuri.org/Endpoint/GetUpdates0%URL Reputationsafe
              http://tempuri.org/Endpoint/GetUpdates0%URL Reputationsafe
              http://tempuri.org/Endpoint/VerifyScanRequest0%URL Reputationsafe
              http://tempuri.org/Endpoint/GetUpdatesResponse0%URL Reputationsafe
              http://tempuri.org/Endpoint/0%URL Reputationsafe
              http://tempuri.org/Endpoint/VerifyUpdate0%URL Reputationsafe
              http://tempuri.org/Endpoint/VerifyScanRequestResponse0%URL Reputationsafe
              https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy0%Avira URL Cloudsafe
              87.251.71.195:820%Avira URL Cloudsafe
              http://87.251.71.195:820%Avira URL Cloudsafe
              http://87.251.71.195:82/0%Avira URL Cloudsafe
              http://87.251.71.195:8240%Avira URL Cloudsafe

              Download Network PCAP: filteredfull

              No contacted domains info
              NameMaliciousAntivirus DetectionReputation
              87.251.71.195:82true
              • Avira URL Cloud: safe
              unknown
              NameSourceMaliciousAntivirus DetectionReputation
              https://ipinfo.io/ip%appdata%sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                high
                https://sectigo.com/CPS0sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dysotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://tempuri.org/Endpoint/GetArgumentssotema_7.txt.exe, 00000002.00000002.515933473.0000000002D09000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://api.ip.sb/geoip%USERPEnvironmentROFILE%sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://schemas.xmlsoap.org/soap/envelope/sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://87.251.71.195:82/sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://tempuri.org/sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0ssotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://tempuri.org/0Dsotema_7.txt.exe, 00000002.00000002.515933473.0000000002D18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://87.251.71.195:824sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D09000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://tempuri.org/Endpoint/VerifyUpdateResponsesotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://ocsp.sectigo.com0#sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://tempuri.org/Endpoint/GetArgumentsResponsesotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://tempuri.org/Endpoint/GetUpdatessotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://api.ipify.orgsotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                      high
                      http://schemas.xmlsoap.org/ws/2004/08/addressingsotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://schemas.xmlsoap.org/ws/2004/08/addressing/faultsotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://tempuri.org/Endpoint/VerifyScanRequestsotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://tempuri.org/Endpoint/GetUpdatesResponsesotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://87.251.71.195:82sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D09000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://tempuri.org/Endpoint/sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://tempuri.org/Endpoint/VerifyUpdatesotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namesotema_7.txt.exe, 00000002.00000002.515933473.0000000002D09000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://tempuri.org/Endpoint/VerifyScanRequestResponsesotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://schemas.xmlsoap.org/soap/actor/nextsotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs
                              IPDomainCountryFlagASNASN NameMalicious
                              87.251.71.195
                              unknownRussian Federation
                              49877RMINJINERINGRUtrue
                              Joe Sandbox Version:36.0.0 Rainbow Opal
                              Analysis ID:789378
                              Start date and time:2023-01-23 00:15:14 +01:00
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 6m 10s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Sample file name:sotema_7.txt.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:12
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal92.troj.evad.winEXE@4/1@0/1
                              EGA Information:Failed
                              HDC Information:Failed
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 74
                              • Number of non-executed functions: 1
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com
                              • Execution Graph export aborted for target sotema_7.txt.exe, PID 5136 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              No simulations
                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              87.251.71.195HjsWdhuCuY.exeGet hashmaliciousBrowse
                              • 87.251.71.195:11924//
                              No context
                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              RMINJINERINGRUHEUR-Trojan.Win32.Agent.gen-7a4df2fc82c0b553d.exeGet hashmaliciousBrowse
                              • 87.251.71.195
                              14jxqkI8dt.exeGet hashmaliciousBrowse
                              • 87.251.71.195
                              1ULY9wkde4.exeGet hashmaliciousBrowse
                              • 87.251.71.195
                              1DCAB4CDFFDF269EA33719990AC81C515345B50FE1C60.exeGet hashmaliciousBrowse
                              • 87.251.71.195
                              5GBK05PTFO.dllGet hashmaliciousBrowse
                              • 185.153.199.225
                              e8k60omgBH.exeGet hashmaliciousBrowse
                              • 185.153.198.216
                              BFB5D8AB558D5057F1980C1BAB9BFB8215D43F41F0065.exeGet hashmaliciousBrowse
                              • 87.251.71.82
                              E10C2C073D337A5CD7BC1FE1FB48B314730D257FB0D21.exeGet hashmaliciousBrowse
                              • 87.251.71.64
                              ileEIP26cf.exeGet hashmaliciousBrowse
                              • 87.251.71.64
                              G2Shy4flZe.exeGet hashmaliciousBrowse
                              • 87.251.71.44
                              BC2CCE5055F9411C04EDEEE699D7161C257574B4C5540.exeGet hashmaliciousBrowse
                              • 87.251.71.195
                              srJfa3GmXh.exeGet hashmaliciousBrowse
                              • 87.251.71.44
                              oGC5UCbzoL.exeGet hashmaliciousBrowse
                              • 87.251.71.44
                              nVJouCa1cO.exeGet hashmaliciousBrowse
                              • 87.251.71.44
                              GIqD5HuY5M.exeGet hashmaliciousBrowse
                              • 87.251.71.64
                              J3Z409zKc6.exeGet hashmaliciousBrowse
                              • 87.251.71.44
                              SHxBXBGCyS.exeGet hashmaliciousBrowse
                              • 185.153.198.58
                              WyhX1MJx8v.exeGet hashmaliciousBrowse
                              • 87.251.71.68
                              6clffER1J0.exeGet hashmaliciousBrowse
                              • 185.153.198.58
                              SmartPDF.exeGet hashmaliciousBrowse
                              • 87.251.71.14
                              No context
                              No context
                              Process:C:\Users\user\Desktop\sotema_7.txt.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):42
                              Entropy (8bit):4.0050635535766075
                              Encrypted:false
                              SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                              MD5:84CFDB4B995B1DBF543B26B86C863ADC
                              SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                              SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                              SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                              Malicious:true
                              Reputation:high, very likely benign file
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..
                              File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):3.739157527036374
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                              • Win32 Executable (generic) a (10002005/4) 49.78%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              File name:sotema_7.txt.exe
                              File size:389120
                              MD5:b0486bfc2e579b49b0cacee12c52469c
                              SHA1:ac6eb40cc66eddd0589eb940e6a6ce06b00c7d30
                              SHA256:9057ba81960258a882dee4335d947f499adabfc59bfd99e2b5f56b508a01fbe2
                              SHA512:b7f55e346830e2a2ed99bd57bfd0cb66221675a6b0b23d35e5d7fac5eee0c3dfc771eed5fed410c2063410e048fe41765c880ebf0a48137f9135cf1d65951075
                              SSDEEP:6144:Q9Sl9qalveLsj2ebm0+wc9fc3ETdsfHXfD16gmiktKpRA3Is3LeEXB:KSl9qalveYj2ebm0bc9fc3EefHXfD16F
                              TLSH:5384452868BFC01984E3EEA12DDCA8FBD99A55E7640D703701B4633B8B51B84DE4F479
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............Z.... ... ....@.. .......................`............@................................
                              Icon Hash:00828e8e8686b000
                              Entrypoint:0x46015a
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows cui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0xB8BCC0EF [Mon Mar 19 10:18:23 2068 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x601080x4f.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x2a8.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x640000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x600ec0x1c.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x5e1600x5e400False0.27560044346816975data3.7510584782896013IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0x620000x2a80x400False0.2998046875data2.1632117842384715IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x640000xc0x400False0.025390625data0.04468700625387198IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                              NameRVASizeTypeLanguageCountry
                              RT_VERSION0x620580x24cdata
                              DLLImport
                              mscoree.dll_CorExeMain

                              Download Network PCAP: filteredfull

                              TimestampSource PortDest PortSource IPDest IP
                              Jan 23, 2023 00:16:34.541400909 CET4971482192.168.2.687.251.71.195
                              Jan 23, 2023 00:16:37.584929943 CET4971482192.168.2.687.251.71.195
                              Jan 23, 2023 00:16:43.581149101 CET4971482192.168.2.687.251.71.195
                              Jan 23, 2023 00:16:56.833153009 CET4971582192.168.2.687.251.71.195
                              Jan 23, 2023 00:16:59.848057985 CET4971582192.168.2.687.251.71.195
                              Jan 23, 2023 00:17:05.848617077 CET4971582192.168.2.687.251.71.195
                              Jan 23, 2023 00:17:18.897645950 CET4972082192.168.2.687.251.71.195
                              Jan 23, 2023 00:17:21.912477970 CET4972082192.168.2.687.251.71.195
                              Jan 23, 2023 00:17:27.921582937 CET4972082192.168.2.687.251.71.195
                              Jan 23, 2023 00:17:40.946590900 CET4972282192.168.2.687.251.71.195
                              Jan 23, 2023 00:17:43.961141109 CET4972282192.168.2.687.251.71.195
                              Jan 23, 2023 00:17:49.977324009 CET4972282192.168.2.687.251.71.195
                              Jan 23, 2023 00:18:02.996228933 CET4972482192.168.2.687.251.71.195
                              Jan 23, 2023 00:18:06.010751009 CET4972482192.168.2.687.251.71.195
                              Jan 23, 2023 00:18:12.012851954 CET4972482192.168.2.687.251.71.195

                              Click to jump to process

                              Click to jump to process

                              • File
                              • Registry
                              • Network

                              Click to dive into process behavior distribution

                              Target ID:0
                              Start time:00:16:10
                              Start date:23/01/2023
                              Path:C:\Users\user\Desktop\sotema_7.txt.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\Desktop\sotema_7.txt.exe
                              Imagebase:0xdf0000
                              File size:389120 bytes
                              MD5 hash:B0486BFC2E579B49B0CACEE12C52469C
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              Reputation:low

                              Target ID:1
                              Start time:00:16:11
                              Start date:23/01/2023
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6da640000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Target ID:2
                              Start time:00:16:11
                              Start date:23/01/2023
                              Path:C:\Users\user\Desktop\sotema_7.txt.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\Desktop\sotema_7.txt.exe
                              Imagebase:0x850000
                              File size:389120 bytes
                              MD5 hash:B0486BFC2E579B49B0CACEE12C52469C
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              Reputation:low

                              Executed Functions

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f63b9538aa02e9e13d7cde6542c4d1211a4c5e9921c5d2c8b4cd5847eedc79ec
                              • Instruction ID: e4b65e9bb0300e70deae2f266f3558907a8f6579baeb59fa9866eb1b00e217f6
                              • Opcode Fuzzy Hash: f63b9538aa02e9e13d7cde6542c4d1211a4c5e9921c5d2c8b4cd5847eedc79ec
                              • Instruction Fuzzy Hash: CFA21B34B002158FDB18DF68D995B6DBBB2BF88710F1084A9E90AAB391DF349D46CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: be7eb89813a04a4ccda2b2dd1494a1ea34eb623051110859b5dca60de84ef7fc
                              • Instruction ID: 19cebbc5755789d972395418dec7c44c9f9b11d9e065013fe19774ad27e3f558
                              • Opcode Fuzzy Hash: be7eb89813a04a4ccda2b2dd1494a1ea34eb623051110859b5dca60de84ef7fc
                              • Instruction Fuzzy Hash: 2E13FE34901205EFCF2AAF60D550AA9B732FF99706B9084BEDC1176B64CB3B9952DF01
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 126d9aa9a034d7bc323eb876757b14149cdc7b239d534ab0f171e5e4208fa011
                              • Instruction ID: 179d86cbffb6f0f2edeb3d880339b8f26c3483624f3dec196242a3c4c85d7d7e
                              • Opcode Fuzzy Hash: 126d9aa9a034d7bc323eb876757b14149cdc7b239d534ab0f171e5e4208fa011
                              • Instruction Fuzzy Hash: 2313FE34901205EFCF2AAF60D550AA9B732FF99706B9084BEDC1176B64CB3B9952DF01
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c5a9b57f71486a7627ae1913b097054cfdb3ebdb2d69a47c32c5ce7f916db484
                              • Instruction ID: f4928e93ae2f0932b628da1520a6a27cc2309c7960931b4a7fda5c08c27c2bbc
                              • Opcode Fuzzy Hash: c5a9b57f71486a7627ae1913b097054cfdb3ebdb2d69a47c32c5ce7f916db484
                              • Instruction Fuzzy Hash: B0021836600215DFCB5A9FA4C904E997BB2FF5C710F4681E9E2099B272DB32D9A4DF40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e317ad97c408d26d302ea22e4bce65697b06fd21b72d0c19015e3bfde29d6e48
                              • Instruction ID: 643ad1356349c930fc83051d807e67fd1552dfc5cef893cd92e18fa458a15c6c
                              • Opcode Fuzzy Hash: e317ad97c408d26d302ea22e4bce65697b06fd21b72d0c19015e3bfde29d6e48
                              • Instruction Fuzzy Hash: 3DE15134600609DFCB18DF69D594A9EBBB2FF88710F148468E51AAB355DB34EC46CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c1069449535064384df6261f02153acace9b8765a6bdbf5283aa2c9767f2118c
                              • Instruction ID: d91a435513d424522ec4d2c895ee58d58169e97145f792e738d0561995e698fe
                              • Opcode Fuzzy Hash: c1069449535064384df6261f02153acace9b8765a6bdbf5283aa2c9767f2118c
                              • Instruction Fuzzy Hash: ABD13C34A01219CFDB29DF64D854BAD7BB2BF88701F1484A9E50AAB391DF359D82CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5bf3d646c935f6db2971857ce7ed7a38554f14faa0b41e1243fd1be8dbf222d8
                              • Instruction ID: 9f53c0876d532e5343f0a7c22bc9e689a7c88e4fab5c82b5f80142516241ebd7
                              • Opcode Fuzzy Hash: 5bf3d646c935f6db2971857ce7ed7a38554f14faa0b41e1243fd1be8dbf222d8
                              • Instruction Fuzzy Hash: 35716E35E0030A8FDB18DFA9C45569EBBF2BF89740F248529E40AEB354DB749C46CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: acaaac9c5ad143b6e9d73c272aeffc2839c7da5d95f1d942256ee3bcdfb953ae
                              • Instruction ID: 7eb4f6b0273801ca35cd2436d8bcce3d0a16fff4b6adf5795b48be5cd17eec56
                              • Opcode Fuzzy Hash: acaaac9c5ad143b6e9d73c272aeffc2839c7da5d95f1d942256ee3bcdfb953ae
                              • Instruction Fuzzy Hash: 36811F34A00209DFCB18DF64D594A9DBBB2FF48710B158569F81AAB365DB34EC46CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 81e5e523102c4f0ade37e0aa29d6e3ca389875fc07c2369400545e89abdf310d
                              • Instruction ID: 59bfa8fd17c9080d7ba3c40a0245a9e2ce75dc2a47ebae46ff764366c74efe26
                              • Opcode Fuzzy Hash: 81e5e523102c4f0ade37e0aa29d6e3ca389875fc07c2369400545e89abdf310d
                              • Instruction Fuzzy Hash: D751C131720604CFC718ABB8D45866EBBB2FF89320F65465DE4529B3E4DF34A84ACB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6185a85ea48c8cbfe9c1d309f1301cf4658af3f940e2a94ac7490534928dd320
                              • Instruction ID: a9f90adb711004d5fa184a266f98b20976fb910d197a94ef3e8a87a86222ca67
                              • Opcode Fuzzy Hash: 6185a85ea48c8cbfe9c1d309f1301cf4658af3f940e2a94ac7490534928dd320
                              • Instruction Fuzzy Hash: AD511A34A05219DFDB19DFA4E895AEDBBB6FF88750F108029F902A7360DB349941CF64
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0b69ebf02436210cec6db34916df8e9f016b0e489aa94ade20e2c620a00d27f1
                              • Instruction ID: 7c1483d7c3a588e5003c14908d4f13f564de9d3622039323cc0a9722f8ed4e28
                              • Opcode Fuzzy Hash: 0b69ebf02436210cec6db34916df8e9f016b0e489aa94ade20e2c620a00d27f1
                              • Instruction Fuzzy Hash: B35184307002095BDF18EB64D860B7EB6B7BBC8604F64401CD11AAB3C5CF76AE059BE5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d4c9d5dbaf900ff8ef769743ca9d22f89381bc8cecc8c0e7d3348b70e25027d2
                              • Instruction ID: 8932803bb1cdab16a2dfd37a8c836d2f6061d335d19ee5a7371b4bb8b2558cd9
                              • Opcode Fuzzy Hash: d4c9d5dbaf900ff8ef769743ca9d22f89381bc8cecc8c0e7d3348b70e25027d2
                              • Instruction Fuzzy Hash: 6051833070020A5BDF18EB64D860B7EA6A7BBC8604F64401CD11AAB3C5CF76AE059BE5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d2216764eb60a0d23b3d89b467173dda94545bd1ba595d3ffdc2f6e11f4c5ab3
                              • Instruction ID: 9a256f88e6579b10180daeaf03c9a378f0c444afc52bf23234037edae219c187
                              • Opcode Fuzzy Hash: d2216764eb60a0d23b3d89b467173dda94545bd1ba595d3ffdc2f6e11f4c5ab3
                              • Instruction Fuzzy Hash: 7D510B34A00209DFDB18DF94D594A9DBBB2FF98710F158468E915AB355CB35EC82CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4eb1f73eacf50cc39fc3bb118e15f5a56068a49753df8e1ca07414c657d532b3
                              • Instruction ID: 672ee45212f25fc6358a8e53ca9a91bc7ed505f9c8ad8e3f68247f831197ba09
                              • Opcode Fuzzy Hash: 4eb1f73eacf50cc39fc3bb118e15f5a56068a49753df8e1ca07414c657d532b3
                              • Instruction Fuzzy Hash: EB31BE343002455BD70DB768E864B3E62ABEBD5A60B244828E807D3398CF796D5253B2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d680c2c490e1f6df8c613d1b55725ed1de1dfa0796deb25a19a08d1f6f8ce6ac
                              • Instruction ID: b8689bdc5e0aebbbef2f037d35243cdc5c393cf926864bb7975764f2ed96157a
                              • Opcode Fuzzy Hash: d680c2c490e1f6df8c613d1b55725ed1de1dfa0796deb25a19a08d1f6f8ce6ac
                              • Instruction Fuzzy Hash: 48414C75E00719CFDB19CFA9C8416CEBBF6BF89740F24851AE805BB214DB70A946CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b755a09d0497eff4ceb6f0af9d5428777f804c2f1642e4c8927cb91487214166
                              • Instruction ID: 9a88fb172dd20920ecc6ef1d52475281baa4dec78b6c610264d63bfc27beac09
                              • Opcode Fuzzy Hash: b755a09d0497eff4ceb6f0af9d5428777f804c2f1642e4c8927cb91487214166
                              • Instruction Fuzzy Hash: EF31EF35B052048FD7189B28D86577EBBB6EF85710F2480ADD80ADB381DF35CC4687A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 96c86284419eba526da6ef3d550e189d10243f850ada63398223ca2999752047
                              • Instruction ID: f32d4b7333d5886f0b3cbb8155ec978e8c37effd37f4026dcb77ee1206306bce
                              • Opcode Fuzzy Hash: 96c86284419eba526da6ef3d550e189d10243f850ada63398223ca2999752047
                              • Instruction Fuzzy Hash: 9831AF343002455BD70DB768A864B3E62AFEBD5A64F244828E807D7398CF796D5353B2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5cf35cc12f306eb2ef0b6fb96456e7c3499a8f05ea9b827eeb3b05292d8b365f
                              • Instruction ID: 414e1058813b653d6008b868e515923cb66785f7d976fedefd195be989252cc5
                              • Opcode Fuzzy Hash: 5cf35cc12f306eb2ef0b6fb96456e7c3499a8f05ea9b827eeb3b05292d8b365f
                              • Instruction Fuzzy Hash: F7314471A002158FDF09DFA8E885BAA7FB0EF65714F1480AEE9458B361DB30D801CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dee04ee274bd1e1effcd887e122dd51325f94f79677cef629473677ff51ba8df
                              • Instruction ID: 8f75ec356c801e48e197421e357f09cc71040c4be171d3f56188e6da290e42f9
                              • Opcode Fuzzy Hash: dee04ee274bd1e1effcd887e122dd51325f94f79677cef629473677ff51ba8df
                              • Instruction Fuzzy Hash: 33311A347112088FDB18DF68C4A9A6E7BF2EF88711F14406CE906AB3A0DF759C42DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5d1628f0382a33b1a8d4ec741ca044fdfe7fb3f68e10c05700cc8cb51ea5550e
                              • Instruction ID: cdaceba56b183e898fe67e1cd9e15300f4979ca0b413df397c8e03e5acae4150
                              • Opcode Fuzzy Hash: 5d1628f0382a33b1a8d4ec741ca044fdfe7fb3f68e10c05700cc8cb51ea5550e
                              • Instruction Fuzzy Hash: 8D2105347163458FC308A779A42512E7FE7AFC5210B148C39E90ADB381EE388C0687B2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bead7ba2dd099f957aa0de774544dce296728fe54febb2ba477068d1f31d110d
                              • Instruction ID: cb795aaf203012820c974ae415179010e2609faecb03c443351dd76c51dfe6af
                              • Opcode Fuzzy Hash: bead7ba2dd099f957aa0de774544dce296728fe54febb2ba477068d1f31d110d
                              • Instruction Fuzzy Hash: 88318B32D10706DACB10AFB9C8403D9B771FF99320F25871AE559B7240EB71BAA4CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8a9e6a06dd96bbc3a2d87bc6f4ea8dfaa0f0a0c06f3ba41f910389479e83d0df
                              • Instruction ID: e2a9dab7ea74557031265ea9c00317d7d2fb1482f287031517405f817549a5de
                              • Opcode Fuzzy Hash: 8a9e6a06dd96bbc3a2d87bc6f4ea8dfaa0f0a0c06f3ba41f910389479e83d0df
                              • Instruction Fuzzy Hash: 43319C32D10706DACB10AFB9C8003D9B771FF99320F25871AE549B7240EB71BAA4CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 23cb7a1a508b26f0a25ebb48faff5ba10218a0e8f283a5ca0819f22e12be731f
                              • Instruction ID: 7b9ca7b0c17ecc4293613b302137eebde29d21d17d49467104fdc07b7f276c10
                              • Opcode Fuzzy Hash: 23cb7a1a508b26f0a25ebb48faff5ba10218a0e8f283a5ca0819f22e12be731f
                              • Instruction Fuzzy Hash: 4C210A3121A3809FC7115774D85576E7FB6EF86315F04086AE882CB392DE79980AC721
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 526ff0b3c6b909cf2217c79971d255fc5aaba448b809ca70f84ca7101925e037
                              • Instruction ID: 1353cf24556e7857c57957e0408a0730505c582fb67fcd935de43313fc6981bd
                              • Opcode Fuzzy Hash: 526ff0b3c6b909cf2217c79971d255fc5aaba448b809ca70f84ca7101925e037
                              • Instruction Fuzzy Hash: 4131D071A00215DFDF09DFA8D895AAE7BB5EFA4714F148479EA058B361DB30D841CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c6f84bdefbb3c9fc8d4ef11dce16b031c9203bd8b3bcf435c8aa1831197989d2
                              • Instruction ID: 5f29395180670d035b8cb2f134fae50c6bea8e58c99c901a36ad136dbb764876
                              • Opcode Fuzzy Hash: c6f84bdefbb3c9fc8d4ef11dce16b031c9203bd8b3bcf435c8aa1831197989d2
                              • Instruction Fuzzy Hash: 83313C357012088FD708DF69C4A9AAE7BF2EF98B10F14406CE502AB361CB769D41DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6a6b2054230bbc9af0baeb33e2bbfdeccf9b2c77d879345d2d554d33208ca3b3
                              • Instruction ID: 888a0728c6fdb0ddcab229ef80196ec20f2788e9308ed519bdd9b5a8ce7ef807
                              • Opcode Fuzzy Hash: 6a6b2054230bbc9af0baeb33e2bbfdeccf9b2c77d879345d2d554d33208ca3b3
                              • Instruction Fuzzy Hash: B5311339910209EFCB01AFA4E899A9DBFB6FF4C311F048855FA01A3264CB765E55DF20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a6836015ed22a3b948e284033eacaf7e89de198c1cc7d934345b01c8731760f8
                              • Instruction ID: 8a449fa42300fb1f594b5edaa077fc6a0c7bbfc385876dee51795fb4fba42198
                              • Opcode Fuzzy Hash: a6836015ed22a3b948e284033eacaf7e89de198c1cc7d934345b01c8731760f8
                              • Instruction Fuzzy Hash: 2D311339910209EFCB01AFA4E899A9DBFB6FF48311F048855FA01A3264CB765E55DF20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c41ed8b92215e6083b32c052f7dca08ddf41aaf7dfd2cad68e1d1c8cf968b642
                              • Instruction ID: fefc7b4827ebfe49aa99a57591013126896e337b51f62a1a11a51973f098ea59
                              • Opcode Fuzzy Hash: c41ed8b92215e6083b32c052f7dca08ddf41aaf7dfd2cad68e1d1c8cf968b642
                              • Instruction Fuzzy Hash: 5B31B130E1070A8BCB14AFB8D4502AEF7B1FF85310B118629D959B3340EF35A996CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 07fbf4af3231a914597e75371152a993feb9c3bcca3ffcbe19b94d040c934552
                              • Instruction ID: a76367d09901990952fd9640a2c18a52297312940d8cdfa73b0c2fe5a7158858
                              • Opcode Fuzzy Hash: 07fbf4af3231a914597e75371152a993feb9c3bcca3ffcbe19b94d040c934552
                              • Instruction Fuzzy Hash: AE31DF31E1070A8BCB14AFB8D4502EEF7B1FF95714B118629D859B7340EF35A996CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eae02861d7ccb8c0c442f8b29718a38023e53f0b54d192d450c7a535983a43a6
                              • Instruction ID: 623b101f0fe633489c4da3b5dbc73d95419adf69fb4bf81ccc702c914cf22a36
                              • Opcode Fuzzy Hash: eae02861d7ccb8c0c442f8b29718a38023e53f0b54d192d450c7a535983a43a6
                              • Instruction Fuzzy Hash: B021D1397122019BE7185B7CD06972E3EE6EBC4261F144438E90EDB384DF78DC4687A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515218351.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_116d000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7b2c4032136d99a1d0e923cef68ac26e72a6718c210e02b1b00d5cb498186bd2
                              • Instruction ID: 1ca33004e2ca19c84c3e083ddde688ad7a13d4930533b726bf74fcbbeb61221a
                              • Opcode Fuzzy Hash: 7b2c4032136d99a1d0e923cef68ac26e72a6718c210e02b1b00d5cb498186bd2
                              • Instruction Fuzzy Hash: EA21D872604240DFDF09DF94E9C4B26BF69FB88720F24856DE9451B246C337D466CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515218351.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_116d000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c0089cfc16014f643581a73740dba2cc7ea3cf683e52efa9e737ac9f3c861fb4
                              • Instruction ID: 0f1890b0eb68c1c8d6476b3a0bd8846762c398f681deaf7e156ba6c2b3deeb80
                              • Opcode Fuzzy Hash: c0089cfc16014f643581a73740dba2cc7ea3cf683e52efa9e737ac9f3c861fb4
                              • Instruction Fuzzy Hash: 3F2128B2604244DFDF09DF98E8C0B26BF69FB88324F248569E8850B246C377D465C7A2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6ca0daeb6db946eb1e4f84d68d19a4d8fac20674a6589a94f8bce2128c1fc70f
                              • Instruction ID: 085a2841833c10e834e1f2430b270fb918b759f1cbba57996527c55ead70234e
                              • Opcode Fuzzy Hash: 6ca0daeb6db946eb1e4f84d68d19a4d8fac20674a6589a94f8bce2128c1fc70f
                              • Instruction Fuzzy Hash: D62190307272958BDB2D5B39A02A33D3EA5AB51B69B05402DFC47C6681DF6EC843CB71
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 09c3c4011968186bd4c414bb6e0ef9b153058a429550c0f51bedf5ff695ce925
                              • Instruction ID: 0a5f64848e33937837936797f9cac4f683529386a69181ae15ec7422a4174e48
                              • Opcode Fuzzy Hash: 09c3c4011968186bd4c414bb6e0ef9b153058a429550c0f51bedf5ff695ce925
                              • Instruction Fuzzy Hash: D9313835900209EFCB05BFA0E95DEAD7FBAFB48301F048854FA04A6264CB325E15DF20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f486a9c4dedb890a4ac2245d9a4689af2d101dd8cb850fd8b1c8b85f6854f160
                              • Instruction ID: 577417745bd3b15dfc456b5c0ed290eb8ad2f17c7602ff631bf2099b78dc43a9
                              • Opcode Fuzzy Hash: f486a9c4dedb890a4ac2245d9a4689af2d101dd8cb850fd8b1c8b85f6854f160
                              • Instruction Fuzzy Hash: A7314A35900209EFCB05BFA0E95DEAD7FBAFB48301F048854FA0496264CB325E15DF20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2773508a6287b5ae562d412dc570fb6abbc9ed4682a988a05d17f2db693b9b79
                              • Instruction ID: 8727c8011e3727072a93e78cda1289fa708f4999fff79c419b18fe1f51126fc3
                              • Opcode Fuzzy Hash: 2773508a6287b5ae562d412dc570fb6abbc9ed4682a988a05d17f2db693b9b79
                              • Instruction Fuzzy Hash: 472180342047828FC725DF28C0805AF7FE1AF98610B148A19E8868B755DF38E84ADB65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4a4c3c61b463d3cd162f2fb409bfe07bb040f6505dbefb675072ea7b79cc676d
                              • Instruction ID: dc435fe000564219fe6c364872176273294e62006d4bfa372214d30c98a50507
                              • Opcode Fuzzy Hash: 4a4c3c61b463d3cd162f2fb409bfe07bb040f6505dbefb675072ea7b79cc676d
                              • Instruction Fuzzy Hash: F4217C306272998BDB2E6B39A01A23D3EA4AB61A69705405DFC4786641DF6DC803CB71
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: acc097292863b9fe201d40530e50a71d9e3e6ea5b89091495584e160df3ea610
                              • Instruction ID: 902b2ce9496b9ebbff5cdadc066b984db72887f804d9ac33dab1b72de25708ab
                              • Opcode Fuzzy Hash: acc097292863b9fe201d40530e50a71d9e3e6ea5b89091495584e160df3ea610
                              • Instruction Fuzzy Hash: BB11E1353102019BC708EF28E9847AD7BAAEF94744F54882DE64A8B291DB75DD0AC7E0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 42843e31df528ed71eb9dc10aee4fd38d6ec63e682538fea8c481caf58a5e1c0
                              • Instruction ID: 570af817bf506f29fbbb6c0c0f69adf0de156eb89297c187449e1acb6b95b746
                              • Opcode Fuzzy Hash: 42843e31df528ed71eb9dc10aee4fd38d6ec63e682538fea8c481caf58a5e1c0
                              • Instruction Fuzzy Hash: C8218134211600CFC354AB28E69896E7BB3FFC9315B644859E84B8B750DF36FC068BA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d71cb4d158cd9eb432622f7f3d1761ddb50b7144dc0ce5794e0d53589828996b
                              • Instruction ID: 41ebfb99b44f81571acbe7d76c306543757bcce2edbb0ac7c06f72d57bfb1a90
                              • Opcode Fuzzy Hash: d71cb4d158cd9eb432622f7f3d1761ddb50b7144dc0ce5794e0d53589828996b
                              • Instruction Fuzzy Hash: BD119B3540D7C58FC729DB38D8510997FB5FE32620709488FD0899B753CB29910ACBB6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3dfe95b8aef0fbe23af95c055957b63520feb059b61e1f7091c9f1047f4bf9c3
                              • Instruction ID: 1c76d263f809be3289303ceb278724520ebdb7ac7636a1d4f12f4fef77d40280
                              • Opcode Fuzzy Hash: 3dfe95b8aef0fbe23af95c055957b63520feb059b61e1f7091c9f1047f4bf9c3
                              • Instruction Fuzzy Hash: 3F115E34211600CFC354AB28E59892EBBB7FFD92157944819E94B8B750CF36FC068BA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7fb09a258df3ec2f93ad17a3c819b8b75e06f87e892a1daaa36b65acb32c93b8
                              • Instruction ID: 91adde45c755342f6bd5d679228fe9ae2cf2a1e04f4aae66735b888450bb3fe4
                              • Opcode Fuzzy Hash: 7fb09a258df3ec2f93ad17a3c819b8b75e06f87e892a1daaa36b65acb32c93b8
                              • Instruction Fuzzy Hash: B71173303102019BD708EE29E4947AE7B9AEB94750F90882DE50A8B291DF75DD4687E5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515218351.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_116d000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5f87ba3aa2c64edba505929a8d0f86639ffc52edd14bb0fad99d14871d38c3be
                              • Instruction ID: 44bec7bcaaa8bbb6b4d2e7f54abc91f6810a956c6a6e7de301c981c95f0c3463
                              • Opcode Fuzzy Hash: 5f87ba3aa2c64edba505929a8d0f86639ffc52edd14bb0fad99d14871d38c3be
                              • Instruction Fuzzy Hash: FB219D76504280DFDF06CF94E9C4B16BF71FB88324F2486A9D9440B65AC33AD466CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9c7320ee4684eef566711290a0a1b141bf6dbaff4516e6e9efb9825ff3451e8e
                              • Instruction ID: 8a75d2574f4444bfcf36bf4a3d9c8fb2e09f76c9f7f6be6c1e4b371031bfe93f
                              • Opcode Fuzzy Hash: 9c7320ee4684eef566711290a0a1b141bf6dbaff4516e6e9efb9825ff3451e8e
                              • Instruction Fuzzy Hash: 2D11E530B012049FD715AB78982576E3FF6AF85700F1080A5E90ADB3D5DF34CD0687A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515218351.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_116d000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5289b4a0742b719c39296e888207fcd63aeccd178d6e4a91aef647a94db2ca4b
                              • Instruction ID: 4735017702606c17457c5bf927ae2e00fdd3175dee088de85eb5a8342e9ba1cf
                              • Opcode Fuzzy Hash: 5289b4a0742b719c39296e888207fcd63aeccd178d6e4a91aef647a94db2ca4b
                              • Instruction Fuzzy Hash: 3711B176504284CFDF16CF54D9C4B16BF71FB84324F2486A9D8440B616C33AD466CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d791fa207e4b0577a11c88aaa1a60216f81b8fafe19e64a0b211d7332991a4e3
                              • Instruction ID: a2179c62306c377cc50c8e14b03690950ba7ccff0425cfccd70acf9d236a26fa
                              • Opcode Fuzzy Hash: d791fa207e4b0577a11c88aaa1a60216f81b8fafe19e64a0b211d7332991a4e3
                              • Instruction Fuzzy Hash: 9C01A1303123409FCB545B74E48872EFBABFBC8265F54482DE9468B381CFB5A8078B60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 97c000c04278d7fd91e26b305d98caa6d8e5945a5401705a7778e7e3c0d1a850
                              • Instruction ID: d2764babbc98bb3be3938adaab45e38166970e487b0b743e40628395b56139cc
                              • Opcode Fuzzy Hash: 97c000c04278d7fd91e26b305d98caa6d8e5945a5401705a7778e7e3c0d1a850
                              • Instruction Fuzzy Hash: 1A01B574B042199FCB14DBA8D864AAEBFFAFBD8310F10802AD50AE3355DA755D0287B1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: af369680739a9a3ca0168b68df776b44b673193e8eef09477c21a08cad648fdf
                              • Instruction ID: a167434c84de5c2422057a822eb1f1a3e33928ac94684136b97d431cd5c82558
                              • Opcode Fuzzy Hash: af369680739a9a3ca0168b68df776b44b673193e8eef09477c21a08cad648fdf
                              • Instruction Fuzzy Hash: 81F0443531A2112BE328227C1C25BAE3EA79BC7670F24423AF529DB3C1DE295C028321
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a94e646e448451dd85939e20feda19604ac0f8143007ceaadf93b4cf677bc559
                              • Instruction ID: e55c434b6588774d916fb993f818577ffa8a8b4e162a2c1c56eeb55f37dc2fe8
                              • Opcode Fuzzy Hash: a94e646e448451dd85939e20feda19604ac0f8143007ceaadf93b4cf677bc559
                              • Instruction Fuzzy Hash: 9E019275E002158FCB44EF68E8556AEBBF5EB89210B144429E909E3300DB354D068BE5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 696c694a746fe7498bdc7d889a355b013a49b05da23390b0eb940610a59efedd
                              • Instruction ID: ea4e7a1a96e01f05c196ac94824786b1852f2968bf1ce349ea14b42379c3fb99
                              • Opcode Fuzzy Hash: 696c694a746fe7498bdc7d889a355b013a49b05da23390b0eb940610a59efedd
                              • Instruction Fuzzy Hash: FA018F34B002199BCB18ABA9D864B6EBBBBFBC8310F204029D50AE3344CA755D0247F1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 42c4d69212eb84ca62a0f4acc4c71be14ca9d1145a5520e43bb11da2a1303c9f
                              • Instruction ID: 32ffd3af5a88f7149f0fe0f762ecbb6dbb6b396cfc5ad642ee7b7749d572ac0e
                              • Opcode Fuzzy Hash: 42c4d69212eb84ca62a0f4acc4c71be14ca9d1145a5520e43bb11da2a1303c9f
                              • Instruction Fuzzy Hash: 1F01A275F002159FCB04EFA8E8545AEBBF9EBC9220B104469E909E3344EF754E068BF5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 37d01fd085ce194bb8a3d7155d2c71dad2c69d4c232cdca69507d54420eb68a6
                              • Instruction ID: 9a0e47e97a86c8d8e9a53be040c7a4b76985919cfa588f273174dc879c5a6e1c
                              • Opcode Fuzzy Hash: 37d01fd085ce194bb8a3d7155d2c71dad2c69d4c232cdca69507d54420eb68a6
                              • Instruction Fuzzy Hash: 22017C35200605CFC714DF1DE584A8ABBA5EF84710B558469E5058B721EBB4F8018BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e8e309160a48d9a5be60a020ecc880bd8c6bd21de0b26c032f3e4ce28cf8406c
                              • Instruction ID: 41da62936b94cb7be9a06271600c4102317ac7e965e279b706a3fc3fcb0d1d04
                              • Opcode Fuzzy Hash: e8e309160a48d9a5be60a020ecc880bd8c6bd21de0b26c032f3e4ce28cf8406c
                              • Instruction Fuzzy Hash: 32014B35200605CFC754DF19E544D9ABBA6EF88710751C46AE5458B721DBB0F9028BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 582d0fdbf39d3c04bbe098e71a22520f2855f3aae3ef85b54efe852242de87e8
                              • Instruction ID: 4af62059357d01617c3ae709e7d9a5d306994ffd8f05c0674a3fdba3eacbb02e
                              • Opcode Fuzzy Hash: 582d0fdbf39d3c04bbe098e71a22520f2855f3aae3ef85b54efe852242de87e8
                              • Instruction Fuzzy Hash: 71F0BE327042088FD7189B29E89ABABFBA9EFD4620F24803ED50687351DB719C45CA90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e8667e185279ea64b762a3f54ed8dfbd0355570efde5ef325c8e90e2bf4d291c
                              • Instruction ID: 6fb1c0c1cc3090e84f8945a6450bbe2c50e0c530f981344155182fb02e3080f1
                              • Opcode Fuzzy Hash: e8667e185279ea64b762a3f54ed8dfbd0355570efde5ef325c8e90e2bf4d291c
                              • Instruction Fuzzy Hash: 0EF01471A01619DFCB54EF69D40959EBFF1BF88714B004A2AE849E3240D7745A0A8BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d86d0bad3fdcdf346d0b7c3b6ad5193aaeee9481e8f5f7785c135e57cadc7a24
                              • Instruction ID: 6ce5ad00ba975fc39ab1cb02d527494df63065784b0ac88370d81fb598efe0e6
                              • Opcode Fuzzy Hash: d86d0bad3fdcdf346d0b7c3b6ad5193aaeee9481e8f5f7785c135e57cadc7a24
                              • Instruction Fuzzy Hash: F501F674A05219EBDF04CF90D985FEDBB72BF48700F104009E841BA2A0DB355940DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 401300a1f5fea9676e66abdb5c22f10121289a30c753bcf41cc7b094b628b8e6
                              • Instruction ID: c62025063ff960a0cfadd3b6a0b2dfd5e1d29ac4c0145eebd3ecf22afb1d4061
                              • Opcode Fuzzy Hash: 401300a1f5fea9676e66abdb5c22f10121289a30c753bcf41cc7b094b628b8e6
                              • Instruction Fuzzy Hash: C8F0F971A01619CFCB54EF69D40559EBFF5FF88720B00462AE949E3310DB746A058FA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 64d1ea23b81f5840f302c85a7113611477686b6e8f810218ad1ad3caeeeb00f6
                              • Instruction ID: 6b78537f7046ec22bcc7bffb586163e499cdcd9451a81653f903d7f1dc1183b8
                              • Opcode Fuzzy Hash: 64d1ea23b81f5840f302c85a7113611477686b6e8f810218ad1ad3caeeeb00f6
                              • Instruction Fuzzy Hash: 3DE0D83631832133E528145E6C41FAB694F97C6A70E744328B13DA73C0CD5168014168
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 87cd6bf93358b4ec7ad62d234f55a66f2e3265cea758709a8b27809853296b5b
                              • Instruction ID: 9958cc043ed8d65f570ba523ff5bc4c9867cd3dbe2245fa8945938bf481a86e9
                              • Opcode Fuzzy Hash: 87cd6bf93358b4ec7ad62d234f55a66f2e3265cea758709a8b27809853296b5b
                              • Instruction Fuzzy Hash: EBE02B322102419BD3189A9DE880B9ABFBDFBC5764F084829E60C87350CF76A806C3E1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 93c5ac9a8a2d77b0e954ad33d1330f6f71a5c955d174b4f4bcd1c5770ffbb73a
                              • Instruction ID: cd6d94d203c4907bdef359e40caf28dc194262618933f8bc01974bd085f6e60c
                              • Opcode Fuzzy Hash: 93c5ac9a8a2d77b0e954ad33d1330f6f71a5c955d174b4f4bcd1c5770ffbb73a
                              • Instruction Fuzzy Hash: FAF0E9719141599BDF24CE68EC807DABBB4EB94350F0086BBD515E22C0DF705A54CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7f6f6036cc67ba2c736bf22ca9c31f789cf1fbf982e7a1e67b03160aca6c7568
                              • Instruction ID: d25bc4c50c53dc411e21a3c4a7c8153cc203895936f73de742b2e6c55068dce9
                              • Opcode Fuzzy Hash: 7f6f6036cc67ba2c736bf22ca9c31f789cf1fbf982e7a1e67b03160aca6c7568
                              • Instruction Fuzzy Hash: FCE0223620120167C704266AFC84A6EFE6EEBCA220F40403AFA08C3300EEB68C0656B1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6732b7fa9d9a0f97b9bef7584cca43179c10ce35619d1b955e582a68fa607db
                              • Instruction ID: 18546a346a15337e5163d1af380a40ba08b3a38b64ecf0d18ad953630d25fe07
                              • Opcode Fuzzy Hash: d6732b7fa9d9a0f97b9bef7584cca43179c10ce35619d1b955e582a68fa607db
                              • Instruction Fuzzy Hash: FDE06F3230131893C31801AAA8106B9FB5ADBE1620B0C0439EA04CB300FE28C80282A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f8d9b9094724aff63fd63c9f2b4eaf393e959c8414bce631c45b409851da514f
                              • Instruction ID: 1f6cd4cbbd7630dd617fe781315335f416dd1e7094370565054f3e469b024499
                              • Opcode Fuzzy Hash: f8d9b9094724aff63fd63c9f2b4eaf393e959c8414bce631c45b409851da514f
                              • Instruction Fuzzy Hash: C6E0203531121067C304376AFC4485FFE6ED7CA220B40443AF90DC3300DEB64C0646B1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb8b256bd966b0a83af86073110add6106e7fd67e3e0efb914dddea6a43e2c1f
                              • Instruction ID: d232a6dc62ee1d94bb5d97b1a1834ff3a5f41553edcb2b619e4f4c168fc7237e
                              • Opcode Fuzzy Hash: bb8b256bd966b0a83af86073110add6106e7fd67e3e0efb914dddea6a43e2c1f
                              • Instruction Fuzzy Hash: A7E01A35612300CB83295A25F84545ABBB6FBC96A6364447EFC0683710DEB6E843CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a34713ed09b0343bfd51834678835fedc6205085a25074af7412f17ea987712a
                              • Instruction ID: 51a33506f28a1af29f4aa6a9969248315a6c20129e4efb9b6b9f391b08f88a53
                              • Opcode Fuzzy Hash: a34713ed09b0343bfd51834678835fedc6205085a25074af7412f17ea987712a
                              • Instruction Fuzzy Hash: 51E086316001149FC714DB6CD985B997BB8FF04614F640068EA05D7251DF21DC39CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4383273e25c29210d8a021656b2320b1df68617f98fa0a340159a946a8fe65af
                              • Instruction ID: 9e8acda928fa1d0cf4a1b77366c726645940aa0ebfa13d7197f3bde65e0504c1
                              • Opcode Fuzzy Hash: 4383273e25c29210d8a021656b2320b1df68617f98fa0a340159a946a8fe65af
                              • Instruction Fuzzy Hash: D9E0C233100224A7EB04CB98D891BDFBB78DF41260F24011ED116E7600EE701E2082E4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6da320b2ae6227949e26ef083c6acde0718391f337ac1ac19965f9ce12cc4d3f
                              • Instruction ID: 6a51aed67047bcd45a78496d558c6cea25be0600557cf2326b993e5746c0a5c5
                              • Opcode Fuzzy Hash: 6da320b2ae6227949e26ef083c6acde0718391f337ac1ac19965f9ce12cc4d3f
                              • Instruction Fuzzy Hash: 55E0BF35712704CBC3295B25F8454567BB6FBC9666364447EFC0683710DE76E843CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ea2e5221877cdcd5aa8f6d193bcd8152d7bb7c09e41e2a082a5a036c294c7fd5
                              • Instruction ID: f11f88a82703250f52ae8b351548019242f439192a9b31131a2cc13295172651
                              • Opcode Fuzzy Hash: ea2e5221877cdcd5aa8f6d193bcd8152d7bb7c09e41e2a082a5a036c294c7fd5
                              • Instruction Fuzzy Hash: 03E04F7091124CEFCB58EFA8D5416EC77B4FB55244F204AAAD408E7345EB311F449B40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 55420305b8717d0b1ed230f38c9a3babe9b9e0e27d83b9c7b77ad79b622aef86
                              • Instruction ID: 0c42b9010bfa66cfe0b1b758fc7f045df5fbe27dbe52da7c1fc87f3a8c9817da
                              • Opcode Fuzzy Hash: 55420305b8717d0b1ed230f38c9a3babe9b9e0e27d83b9c7b77ad79b622aef86
                              • Instruction Fuzzy Hash: 9DD05E70A0024CEFCB48FFA8D94055DB7B9FB44204B2049A9E408E3344EF322F04EB94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6e72a4c1dbab69b2608fdae9bca8b0f28bcf2bf32a52841a2d796266b2ac3a14
                              • Instruction ID: 01c0bc78a49a24587257790c2f0d7045f2ed90944a053893528b42e1e040d801
                              • Opcode Fuzzy Hash: 6e72a4c1dbab69b2608fdae9bca8b0f28bcf2bf32a52841a2d796266b2ac3a14
                              • Instruction Fuzzy Hash: 69D01233604328AB5B04DAE9A4509DFBFBDDA85170F01416ED519EB740ED751E4042E9
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4fdf4eabf362371fc945376a055b377041f20358c5ef1b39314c9629914fe319
                              • Instruction ID: 7f501228fa52ac494ed00a8f700aadb90b1684c519a50cabef0a4b4fa5859ebb
                              • Opcode Fuzzy Hash: 4fdf4eabf362371fc945376a055b377041f20358c5ef1b39314c9629914fe319
                              • Instruction Fuzzy Hash: 7AD05E3931422497D6097A4CF46474FB66AEB8A308F988014A109C734DDFA64C0657E2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9894b1e2811fd352754f78b46dff58c8e289bfec537635de254717b38340f2ee
                              • Instruction ID: 9fc336864c6243d41b2844816932e1f3316f36708939f75e23bc5252b2922f4e
                              • Opcode Fuzzy Hash: 9894b1e2811fd352754f78b46dff58c8e289bfec537635de254717b38340f2ee
                              • Instruction Fuzzy Hash: ECE017B4A012948BEB18EF29E09476FBBA2AB89304F5481589005CB349DBB5CE819B50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 59705b2764531d1ca2a683d63e46953f28391f8837c90fb1affd2b8c1e1cc42a
                              • Instruction ID: 2c73fbc97f78d7f7de563350385c7e0d96db44f64936a4efc2773899d1383b60
                              • Opcode Fuzzy Hash: 59705b2764531d1ca2a683d63e46953f28391f8837c90fb1affd2b8c1e1cc42a
                              • Instruction Fuzzy Hash: 08A0128910020642E006359CD06230DC0159FC1104FC0C40001489A344DD1D44013373
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a98dd21c82b528e8f86dec3cdddcee5f52262d368a93037ac312552617b4a23e
                              • Instruction ID: 6ac79b3a56c4161fa934bc21daaec2151c652947f325baeca5e3baeba51a3e63
                              • Opcode Fuzzy Hash: a98dd21c82b528e8f86dec3cdddcee5f52262d368a93037ac312552617b4a23e
                              • Instruction Fuzzy Hash: D3A0012961122287EE089B64E9EA57DBB26BB813553684459A912C7240DE288D26F660
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Memory Dump Source
                              • Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 79e33815ff7d9aeae38291315e6ba21b7ad5e8bea658e77b295bdedfece3880a
                              • Instruction ID: aaebbb883fff2ba70a1f3fd25c86de7280161fb9d80522d2a33d79afef24c10c
                              • Opcode Fuzzy Hash: 79e33815ff7d9aeae38291315e6ba21b7ad5e8bea658e77b295bdedfece3880a
                              • Instruction Fuzzy Hash: 39D19035B002058FDB18DB79D854A6E7BF6AF99710F148469E90ADB391DF34DC02CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%