Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1519329
MD5:2cfc1aa34c34f4968b099aa7646097a5
SHA1:8f0474e95ebd679be59eb2c002056bef9361305c
SHA256:330b91473f27721d99e11cde67a05631aefcac78b6b69fc7b6bb61bd053ddbe6
Tags:exeuser-Bitsight
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Installs new ROOT certificates
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3196 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2CFC1AA34C34F4968B099AA7646097A5)
    • conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 5536 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "91.211.248.215:24327", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000003.00000002.2366089599.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.2170183129.0000000003A95000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Process Memory Space: file.exe PID: 3196JoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: RegAsm.exe PID: 5536JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.file.exe.3a95570.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  3.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.file.exe.3a95570.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-26T11:32:14.378994+020020432341A Network Trojan was detected91.211.248.21524327192.168.2.649711TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-26T11:32:14.203025+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:19.440734+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:20.100634+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:20.373552+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:20.832089+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:21.060538+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:22.487259+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:22.666955+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:23.013834+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:23.253329+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:23.440567+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:23.732396+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:24.016824+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:24.193018+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:24.418887+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:26.087980+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:26.402758+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:26.407741+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:27.181688+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:27.398083+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:27.574784+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:27.754493+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:27.930030+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:28.105518+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:28.355607+020020432311A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-26T11:32:20.106375+020020460561A Network Trojan was detected91.211.248.21524327192.168.2.649711TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-26T11:32:14.203025+020020460451A Network Trojan was detected192.168.2.64971191.211.248.21524327TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000000.00000002.2170183129.0000000003A95000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "91.211.248.215:24327", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
                      Multi AV Scanner detection for submitted file
                      Source: file.exeReversingLabs: Detection: 39%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.6:49711 -> 91.211.248.215:24327
                      Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.6:49711 -> 91.211.248.215:24327
                      Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 91.211.248.215:24327 -> 192.168.2.6:49711
                      Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 91.211.248.215:24327 -> 192.168.2.6:49711
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 91.211.248.215:24327
                      Source: global trafficTCP traffic: 192.168.2.6:49711 -> 91.211.248.215:24327
                      Source: Joe Sandbox ViewASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.211.248.215
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9(
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002997000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002B96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002997000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002997000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2367662005.0000000002927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002997000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2367662005.0000000002997000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002997000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002985000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                      Source: file.exe, 00000000.00000002.2170183129.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2366089599.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp255B.tmpJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp251C.tmpJump to dropped file

                      System Summary

                      barindex
                      .NET source code contains very large array initializations
                      Source: file.exe, MoveAngles.csLarge array initialization: MoveAngles: array initializer size 311296
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00C1DC743_2_00C1DC74
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_04DE69483_2_04DE6948
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_04DE7C203_2_04DE7C20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_04DE00403_2_04DE0040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_04DE00073_2_04DE0007
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_04DE7C103_2_04DE7C10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_04DE5A433_2_04DE5A43
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_060F67D83_2_060F67D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_060FA3E83_2_060FA3E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_060F3F503_2_060F3F50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_060FA3D83_2_060FA3D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_060F6FE83_2_060F6FE8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_060F6FF83_2_060F6FF8
                      Source: file.exe, 00000000.00000002.2167248594.0000000000ACE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                      Source: file.exe, 00000000.00000002.2170183129.0000000003AD8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSeditions.exe8 vs file.exe
                      Source: file.exeBinary or memory string: OriginalFilenameVQP.exe< vs file.exe
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/7@0/1
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_03
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp251C.tmpJump to behavior
                      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2367662005.0000000002E06000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: file.exeReversingLabs: Detection: 39%
                      Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: esdsip.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                      Source: Google Chrome.lnk.3.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_060FC711 push es; ret 3_2_060FC720
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_060FD412 push es; ret 3_2_060FD420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_060FECF2 push eax; ret 3_2_060FED01
                      Source: file.exeStatic PE information: section name: .text entropy: 7.994517021039135

                      Persistence and Installation Behavior

                      barindex
                      Installs new ROOT certificates
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 1080000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 2A90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 2870000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: C10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2830000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4830000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 5244Jump to behavior
                      Source: C:\Users\user\Desktop\file.exe TID: 2276Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4864Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3360Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                      Source: RegAsm.exe, 00000003.00000002.2380933754.0000000005A8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2367662005.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2367662005.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2367662005.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2367662005.00000000029CF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2367662005.0000000002DBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbLR
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                      Source: RegAsm.exe, 00000003.00000002.2371076778.00000000038DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2371076778.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02A92139 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_02A92139
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 78E008Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: RegAsm.exe, 00000003.00000002.2380933754.0000000005AAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.file.exe.3a95570.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.3a95570.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2366089599.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2170183129.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 3196, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5536, type: MEMORYSTR
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                      Source: Yara matchFile source: 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5536, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.file.exe.3a95570.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.3a95570.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2366089599.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2170183129.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 3196, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5536, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		411
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		231
                      Security Software Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                      Virtualization/Sandbox Evasion                      		Security Account Manager241
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                      Obfuscated Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Install Root Certificate                      		Cached Domain Credentials113
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      file.exe39%ReversingLabsByteCode-MSIL.Trojan.Zilla

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                      http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/sc0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/08/addressing0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id8ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA10%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id14ResponseDRegAsm.exe, 00000003.00000002.2367662005.0000000002997000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 00000003.00000002.2367662005.0000000002997000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id9RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id8RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id6ResponseDRegAsm.exe, 00000003.00000002.2367662005.0000000002985000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id5RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id4RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id7RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id6RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id13ResponseDRegAsm.exe, 00000003.00000002.2367662005.0000000002927000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id5ResponseDRegAsm.exe, 00000003.00000002.2367662005.0000000002977000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000003.00000002.2367662005.0000000002927000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.ip.sb/ipfile.exe, 00000000.00000002.2170183129.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2366089599.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id20RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id21RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id22RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id23RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id24RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id21ResponseDRegAsm.exe, 00000003.00000002.2367662005.0000000002927000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id10RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id11RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id10ResponseDRegAsm.exe, 00000003.00000002.2367662005.0000000002997000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id12RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id13RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id14RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id15RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id16RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id17RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id18RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id19RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id15ResponseDRegAsm.exe, 00000003.00000002.2367662005.0000000002927000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id11ResponseDRegAsm.exe, 00000003.00000002.2367662005.0000000002B96000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id17ResponseDRegAsm.exe, 00000003.00000002.2367662005.0000000002927000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/soap/envelope/RegAsm.exe, 00000003.00000002.2367662005.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id8ResponseDRegAsm.exe, 00000003.00000002.2367662005.0000000002927000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1RegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trustRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackRegAsm.exe, 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      91.211.248.215
                      		unknownUkraine
                      		204601ON-LINE-DATAServerlocation-NetherlandsDrontenNLtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1519329
                      Start date and time:2024-09-26 11:31:10 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 5m 7s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:11
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:file.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@4/7@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 89
                      • Number of non-executed functions: 5
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • VT rate limit hit for: file.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      05:32:24API Interceptor27x Sleep call for process: RegAsm.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      ON-LINE-DATAServerlocation-NetherlandsDrontenNLfile.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC StealerBrowse
                      • 45.91.200.135
                      SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                      • 92.119.114.169
                      SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                      • 92.119.114.169
                      file.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                      • 45.91.200.135
                      9poHPPZxlB.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                      • 92.119.114.169
                      file.exeGet hashmaliciousUnknownBrowse
                      • 92.119.114.169
                      file.exeGet hashmaliciousUnknownBrowse
                      • 92.119.114.169
                      SecuriteInfo.com.Trojan.PWS.RedLineNET.9.5979.19330.exeGet hashmaliciousRedLineBrowse
                      • 77.83.175.241
                      cHQg24hABF.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Stealc, Vidar, XWorm, zgRATBrowse
                      • 92.119.114.169
                      file.exeGet hashmaliciousUnknownBrowse
                      • 92.119.114.169

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\Public\Desktop\Google Chrome.lnk

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 05:47:19 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide
                      Category:dropped
                      Size (bytes):2104
                      Entropy (8bit):3.4666706587201315
                      Encrypted:false
                      SSDEEP:48:8SQd5TvG90lRYrnvPdAKRkdAGdAKRFdAKR6P:8S6by7
                      MD5:35A80D01B48EA8A6F909CD1A55CFF163
                      SHA1:642B7F564B38B40568DBDF38992B6D402D3370CC
                      SHA-256:5F00AADB8B2A4A8481AC48A0F20676E02DF7E0973AB5DC955A53FA28AE4D3DDF
                      SHA-512:9D730C2632A8988980E36D47CBB2857B5F3864B80ACF6849DD0695F51F1E31347E675406F70312C5BBF58DEC2A1EA4810BA1F1B76D3707AA42497B86DB056149
                      Malicious:false
                      Reputation:low
                      Preview:L..................F.@.. ......,..../.!.W....X.&&... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....EW.3..PROGRA~1..t......O.IEW.5....B...............J.......j.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VEW@2....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.2..Chrome..>......CW.VEW.2....M.....................7...C.h.r.o.m.e.....`.1.....EW.2..APPLIC~1..H......CW.VEW.2..........................7...A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.L .chrome.exe..F......CW.VEW.5.........................l...c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):3274
                      Entropy (8bit):5.3318368586986695
                      Encrypted:false
                      SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
                      MD5:0B2E58EF6402AD69025B36C36D16B67F
                      SHA1:5ECC642327EF5E6A54B7918A4BD7B46A512BF926
                      SHA-256:4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
                      SHA-512:1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                      Download File
                      Process:C:\Users\user\Desktop\file.exe
                      File Type:CSV text
                      Category:modified
                      Size (bytes):425
                      Entropy (8bit):5.353683843266035
                      Encrypted:false
                      SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                      MD5:859802284B12C59DDBB85B0AC64C08F0
                      SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                      SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                      SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                      Malicious:true
                      Reputation:high, very likely benign file
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                      C:\Users\user\AppData\Local\Temp\Tmp251C.tmp

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2662
                      Entropy (8bit):7.8230547059446645
                      Encrypted:false
                      SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                      MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                      SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                      SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                      SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                      C:\Users\user\AppData\Local\Temp\Tmp255B.tmp

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2662
                      Entropy (8bit):7.8230547059446645
                      Encrypted:false
                      SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                      MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                      SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                      SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                      SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                      C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2251
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3::
                      MD5:0158FE9CEAD91D1B027B795984737614
                      SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                      SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                      SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                      Malicious:false
                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      \Device\ConDrv

                      Download File
                      Process:C:\Users\user\Desktop\file.exe
                      File Type:ASCII text, with CRLF, LF line terminators
                      Category:dropped
                      Size (bytes):33
                      Entropy (8bit):2.2845972159140855
                      Encrypted:false
                      SSDEEP:3:i6vvRyMivvRya:iKvHivD
                      MD5:45B4C82B8041BF0F9CCED0D6A18D151A
                      SHA1:B4DAD3FFFEF507CBB78671EE620BB495F8CE22F1
                      SHA-256:7CFA461ED1FC8611AB74878EDB1FBBDE3596F5D042946A42A7F31EB6D462E628
                      SHA-512:B29C3696A8A311EFAF9B9709BA082FF2C8D45A6912D79BC1DE7FEEFBEF8F8DDEFCD6650B5E1165D0A79800C8AED399E2B11BC2431E3837DD8587516BDE50EAB5
                      Malicious:false
                      Preview:0..1..2..3..4..0..1..2..3..4.....

                      Static File Info

                      General

                      File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):7.986693995498632
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      • Win32 Executable (generic) a (10002005/4) 49.78%
                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      • DOS Executable Generic (2002/1) 0.01%
                      File name:file.exe
                      File size:321'536 bytes
                      MD5:2cfc1aa34c34f4968b099aa7646097a5
                      SHA1:8f0474e95ebd679be59eb2c002056bef9361305c
                      SHA256:330b91473f27721d99e11cde67a05631aefcac78b6b69fc7b6bb61bd053ddbe6
                      SHA512:81a4b338cf5a931e7a24c5de37069aec288cfbdd5f94895c470bef2f3407eea3e1046d5072e690430288719560baa4d63f21b89876c07d63811b5da3a9611e81
                      SSDEEP:6144:89ecSWylbPXlZctxOTyORbnRRX8LC3V7/9rQxf08+LFYM:89eDNvcqT9Z7WC5/9ES8y
                      TLSH:DB6423946B830172E1C84B32AEB7EA6DD0F7F5130342778F66EC0C8E92A59AD715B471
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....|.f................................. ........@.. .......................@............`................................

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0x44fcee
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows cui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0x66F47C82 [Wed Sep 25 21:11:30 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                      Entrypoint Preview

                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x4fc940x57.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x500000x5b8.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x520000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x4fb5c0x1c.text
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000x4dcf40x4de008945b009e71a4c00f6e1b387d369c222False0.992406952247191data7.994517021039135IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0x500000x5b80x60059c39f15f05bc5bec30f54a84b9c8ed2False0.4361979166666667data4.110921347030149IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x520000xc0x200018bc3404a75d8e475430c0894fe6423False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_VERSION0x500a00x324data0.4552238805970149
                      RT_MANIFEST0x503c80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                      Imports

                      DLLImport
                      mscoree.dll_CorExeMain

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-09-26T11:32:14.203025+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:14.203025+02002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:14.378994+02002043234ET MALWARE Redline Stealer TCP CnC - Id1Response191.211.248.21524327192.168.2.649711TCP
                      2024-09-26T11:32:19.440734+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:20.100634+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:20.106375+02002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)191.211.248.21524327192.168.2.649711TCP
                      2024-09-26T11:32:20.373552+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:20.832089+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:21.060538+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:22.487259+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:22.666955+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:23.013834+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:23.253329+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:23.440567+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:23.732396+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:24.016824+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:24.193018+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:24.418887+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:26.087980+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:26.402758+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:26.407741+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:27.181688+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:27.398083+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:27.574784+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:27.754493+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:27.930030+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:28.105518+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP
                      2024-09-26T11:32:28.355607+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971191.211.248.21524327TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 26, 2024 11:32:13.500581980 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:13.505496025 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:13.505647898 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:13.523066998 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:13.527842045 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:14.141542912 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:14.184636116 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:14.203025103 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:14.207935095 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:14.378993988 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:14.434525967 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:19.440733910 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:19.445719004 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:19.620354891 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:19.620385885 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:19.620441914 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:19.620455980 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:19.620469093 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:19.620481014 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:19.620482922 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:19.620639086 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:20.100634098 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:20.106374979 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:20.299901009 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:20.340761900 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:20.373552084 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:20.378576040 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:20.378592968 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:20.378616095 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:20.378627062 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:20.378635883 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:20.378643990 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:20.378664017 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:20.378673077 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:20.378679991 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:20.378690004 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:20.378735065 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:20.383609056 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:20.383627892 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:20.383636951 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:20.819842100 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:20.832088947 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:20.836893082 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:21.009042978 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:21.059515953 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:21.060538054 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:21.066297054 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:21.235510111 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:21.278279066 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:22.487258911 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:22.492295980 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:22.661741972 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:22.666954994 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:22.671750069 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:22.841356993 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:22.887653112 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:23.013834000 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:23.019962072 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:23.189404964 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:23.231429100 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:23.253329039 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:23.260410070 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:23.430255890 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:23.440567017 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:23.445400953 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:23.615128040 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:23.668874025 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:23.732395887 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:23.737320900 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:23.977459908 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:24.016824007 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:24.022330999 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:24.191739082 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:24.193017960 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:24.197875023 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:24.367187977 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:24.418886900 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.087980032 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.092912912 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.263606071 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.309518099 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.402757883 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.407677889 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.407737970 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.407741070 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.407748938 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.407785892 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.407793045 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.407795906 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.407874107 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.408128023 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.408186913 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.408222914 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.408286095 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.408443928 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.408452988 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.408504963 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.409744024 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.409801960 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.413697004 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.413716078 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.413724899 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.413741112 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.413747072 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.413763046 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.413810015 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.413810968 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.413871050 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.413906097 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.413942099 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.413959980 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.413983107 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.414048910 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.414063931 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.414120913 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.414293051 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.414313078 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.414321899 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.414340973 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.414390087 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.414542913 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.414592028 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.419296026 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419347048 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419361115 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419365883 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.419394016 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419418097 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.419450045 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419457912 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.419461966 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419523001 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.419713974 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419723988 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419740915 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419750929 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419754982 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419758081 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419766903 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419775009 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419780970 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.419791937 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419799089 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.419800043 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419819117 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419831991 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419877052 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419887066 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419903994 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419913054 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.419998884 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.420006037 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.420012951 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.420017004 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.420037985 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.420044899 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.420047045 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.420088053 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.420101881 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.420114040 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.420125961 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.420140028 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.420149088 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.420191050 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.420197010 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.420212030 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.420221090 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.420249939 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.420275927 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.420315981 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.420361996 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.420366049 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.420377970 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.420387030 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.420396090 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.420403957 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.420413017 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.420423985 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.420428991 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.424119949 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424130917 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424141884 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424150944 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424209118 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424220085 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424243927 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424256086 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424369097 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424401999 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424411058 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424421072 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424607038 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424619913 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424628973 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424638033 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424645901 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424654961 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424670935 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424685001 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424705982 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424715042 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424767017 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424777031 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424796104 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424804926 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424814939 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424869061 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424877882 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424911976 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424932003 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424941063 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.424952030 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425034046 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425045967 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425070047 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425079107 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425091028 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425160885 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425175905 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425185919 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425205946 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425261021 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425266981 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.425271988 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425286055 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425332069 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.425348997 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425544977 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425554037 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425561905 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425570965 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425580025 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425587893 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425599098 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425611019 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425627947 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425636053 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425674915 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425715923 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425764084 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425786018 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425868034 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425899029 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425964117 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.425982952 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426040888 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426049948 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426110983 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426131010 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426219940 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426230907 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426336050 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426347017 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426543951 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426553965 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426562071 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426570892 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426579952 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426588058 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426597118 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426604986 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426625013 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426635981 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426763058 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426774979 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.426981926 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.427047968 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.430201054 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430254936 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430318117 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430326939 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430366993 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430382013 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430408955 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430419922 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430468082 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430479050 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430505991 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430535078 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430605888 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430619955 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430638075 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430701017 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430759907 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430771112 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430844069 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430855036 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430871964 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430886030 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430955887 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430967093 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.430977106 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431049109 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431123018 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431188107 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431196928 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431262016 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431267977 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431312084 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431354046 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431406021 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431420088 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431436062 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431444883 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431483030 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431490898 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431519032 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431549072 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431610107 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431618929 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431628942 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431736946 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431746960 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431756020 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431781054 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431790113 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431835890 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431848049 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431922913 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431936026 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.431945086 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.432202101 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.432255030 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.432763100 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.432773113 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.432842016 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.432863951 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.432939053 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.432950020 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433017015 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433037043 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433101892 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433114052 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433152914 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433181047 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433303118 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433357000 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433391094 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433455944 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433480024 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433490992 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433568001 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433582067 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433664083 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433675051 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433716059 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433763027 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433798075 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433839083 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433957100 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.433968067 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434031010 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434088945 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434130907 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434168100 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434250116 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434263945 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434299946 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434312105 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434323072 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434376955 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434428930 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434442043 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434478998 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434492111 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434565067 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434580088 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434622049 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434633970 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434669018 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434679985 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434746981 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434760094 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434770107 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434779882 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434839964 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.434849024 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.435087919 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.435153008 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.437041044 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437135935 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437145948 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437201023 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437223911 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437309980 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437315941 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437360048 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437370062 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437405109 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437427044 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437443972 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437453985 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437500000 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437513113 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437681913 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437694073 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437716961 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437731028 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437752962 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437762022 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437809944 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437818050 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437916040 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437927008 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437947035 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437961102 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.437992096 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438005924 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438043118 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438054085 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438203096 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438214064 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438221931 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438231945 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438249111 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438263893 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438288927 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438329935 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438416004 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438472986 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438500881 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438512087 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438523054 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438544035 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438601017 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438611984 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438632011 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438642979 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438678980 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438689947 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438721895 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438733101 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.438766003 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.439208031 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.439273119 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.440069914 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440073967 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440079927 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440084934 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440097094 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440105915 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440140009 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440234900 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440243959 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440253019 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440295935 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440306902 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440327883 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440336943 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440375090 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440386057 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440407991 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440419912 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440459013 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440469980 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440500021 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440551043 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440598011 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440608025 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440615892 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440624952 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440645933 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440654039 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440670013 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440687895 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440819979 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440836906 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440979004 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440988064 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.440998077 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.441005945 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.441026926 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.441035986 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.441044092 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.441056013 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.441066027 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.441078901 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.441127062 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.441137075 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.441180944 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.441190958 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.441215038 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.441224098 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.441313028 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.441323996 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.441374063 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.441384077 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.441410065 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.441418886 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.441627979 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.441692114 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.444094896 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444106102 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444117069 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444133997 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444191933 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444201946 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444224119 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444272995 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444318056 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444329023 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444369078 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444381952 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444447041 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444459915 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444488049 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444498062 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444524050 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444534063 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444582939 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444593906 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444603920 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444617987 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444652081 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444662094 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444719076 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444735050 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444753885 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444763899 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444811106 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444820881 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444868088 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444880962 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444911003 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444921970 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444933891 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.444997072 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.445010900 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.445019960 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.445049047 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.445058107 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.445101023 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.445110083 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.445158005 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.445168018 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.445235968 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.445246935 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.445267916 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.445276976 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.445287943 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.445307970 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.445358038 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.445364952 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.445431948 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.446585894 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.446594000 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.446609020 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.446619987 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.446667910 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.446861029 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.446944952 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.490483046 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:26.490678072 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:26.538522959 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:27.130790949 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:27.181688070 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:27.186940908 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:27.356564045 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:27.398082972 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:27.402975082 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:27.572617054 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:27.574784040 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:27.579878092 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:27.749222040 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:27.754492998 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:27.759514093 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:27.759522915 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:27.759537935 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:27.759542942 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:27.929349899 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:27.930030107 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:27.934984922 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:28.104507923 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:28.105518103 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:28.110444069 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:28.280884981 CEST243274971191.211.248.215192.168.2.6
                      Sep 26, 2024 11:32:28.325145006 CEST4971124327192.168.2.691.211.248.215
                      Sep 26, 2024 11:32:28.355607033 CEST4971124327192.168.2.691.211.248.215

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:05:32:05
                      Start date:26/09/2024
                      Path:C:\Users\user\Desktop\file.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\file.exe"
                      Imagebase:0x580000
                      File size:321'536 bytes
                      MD5 hash:2CFC1AA34C34F4968B099AA7646097A5
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2170183129.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:1
                      Start time:05:32:05
                      Start date:26/09/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff66e660000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:3
                      Start time:05:32:07
                      Start date:26/09/2024
                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      Imagebase:0x510000
                      File size:65'440 bytes
                      MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2366089599.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2367662005.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:40%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:30%
                        Total number of Nodes:20
                        Total number of Limit Nodes:0

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_02910090 1 Function_02910B10 46 Function_02910B40 1->46 2 Function_02910214 3 Function_02911216 4 Function_02910498 5 Function_02910198 6 Function_0291011C 7 Function_0291121C 80 Function_0291026C 7->80 8 Function_02A92139 9 Function_02910080 10 Function_02910100 11 Function_02910204 12 Function_02910988 16 Function_02910530 12->16 22 Function_0291053C 12->22 24 Function_02910524 12->24 39 Function_02910C58 12->39 12->46 56 Function_02910548 12->56 60 Function_02911270 12->60 78 Function_02911268 12->78 13 Function_02910188 14 Function_0291010C 15 Function_029100B0 16->80 17 Function_02911330 18 Function_029101B4 19 Function_02910234 20 Function_0291013C 21 Function_029100BC 22->80 23 Function_029100A0 25 Function_02910224 26 Function_02A91D1F 27 Function_029110A6 28 Function_029101A8 29 Function_02A91F92 30 Function_0291012C 31 Function_029110AC 31->80 32 Function_02910450 33 Function_02910555 34 Function_02910154 35 Function_029100D4 36 Function_02910254 37 Function_02910A57 37->16 37->22 37->39 37->46 37->56 37->60 37->78 38 Function_02910559 40 Function_029108D8 41 Function_0291045D 42 Function_0291055D 43 Function_029104DF 44 Function_02910F5F 44->80 45 Function_029104C1 47 Function_029101C0 48 Function_029104C5 49 Function_02910845 50 Function_02910244 51 Function_02910444 52 Function_029104C9 53 Function_02910848 54 Function_02910148 55 Function_029100C8 57 Function_02910BC8 58 Function_0291004D 59 Function_02910471 61 Function_02910070 62 Function_029100F0 63 Function_02910475 64 Function_029110F4 64->80 65 Function_02910479 66 Function_02910979 66->16 66->22 66->24 66->39 66->46 66->56 66->60 66->78 67 Function_02910178 68 Function_0291047D 69 Function_0291027C 70 Function_02910461 71 Function_02910561 72 Function_02910260 73 Function_02910165 74 Function_02910465 75 Function_029100E4 76 Function_02910469 77 Function_029108E8 79 Function_0291046D 81 Function_029101EC

                        Executed Functions

                        Function 02A92139 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02A920AB,02A9209B), ref: 02A922A8
                        • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02A922BB
                        • Wow64GetThreadContext.KERNEL32(000000A8,00000000), ref: 02A922D9
                        • ReadProcessMemory.KERNELBASE(000000A4,?,02A920EF,00000004,00000000), ref: 02A922FD
                        • VirtualAllocEx.KERNELBASE(000000A4,?,?,00003000,00000040), ref: 02A92328
                        • WriteProcessMemory.KERNELBASE(000000A4,00000000,?,?,00000000,?), ref: 02A92380
                        • WriteProcessMemory.KERNELBASE(000000A4,00400000,?,?,00000000,?,00000028), ref: 02A923CB
                        • WriteProcessMemory.KERNELBASE(000000A4,?,?,00000004,00000000), ref: 02A92409
                        • Wow64SetThreadContext.KERNEL32(000000A8,05110000), ref: 02A92445
                        • ResumeThread.KERNELBASE(000000A8), ref: 02A92454
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2168767629.0000000002A91000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A91000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2a91000_file.jbxd
                        Similarity
                        • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                        • API String ID: 2687962208-1257834847
                        • Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                        • Instruction ID: 7f84bbe7c32c24a0261f5cc644a5581fbc81e0aca9ed0216a091c3bf93dd5d0f
                        • Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                        • Instruction Fuzzy Hash: E8B1F57660024AAFDB60CF69CC80BDA73E5FF88714F158164EA0CAB341D774FA518B94
                        Function 02911268 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 23 2911268-29112fd VirtualProtectEx 28 2911304-2911325 23->28 29 29112ff 23->29 29->28
                        APIs
                        • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 029112F0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2168655968.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2910000_file.jbxd
                        Similarity
                        • API ID: ProtectVirtual
                        • String ID:
                        • API String ID: 544645111-0
                        • Opcode ID: 62d2749fe53e70e7849385be0c01a28fd1dcaacd89f99b7d784e8323dcad9f36
                        • Instruction ID: 1b294850b1d0d38cac4d3b98c4ecd2cff60b0ff6fe6703448522a59538843956
                        • Opcode Fuzzy Hash: 62d2749fe53e70e7849385be0c01a28fd1dcaacd89f99b7d784e8323dcad9f36
                        • Instruction Fuzzy Hash: 152123B190134D9FDB10DFAAC881ADEBBF4FF48310F10842AEA19A7250C774A901CFA1
                        Function 02911270 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 32 2911270-29112fd VirtualProtectEx 35 2911304-2911325 32->35 36 29112ff 32->36 36->35
                        APIs
                        • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 029112F0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2168655968.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2910000_file.jbxd
                        Similarity
                        • API ID: ProtectVirtual
                        • String ID:
                        • API String ID: 544645111-0
                        • Opcode ID: 00eb5770f546bc383c7f4057d8d33f65e3e939906fc574701d00316fda58d10b
                        • Instruction ID: b1241658a181c080a8e700ba2a678b3d811d3238fa924afe69c5b40b984b5a43
                        • Opcode Fuzzy Hash: 00eb5770f546bc383c7f4057d8d33f65e3e939906fc574701d00316fda58d10b
                        • Instruction Fuzzy Hash: E921E2B190124D9FDF10DFAAC981ADEBBF4FF48710F10842AEA19A7250C775A914CFA5

                        Execution Graph

                        Execution Coverage:9%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:82
                        Total number of Limit Nodes:7
                        execution_graph 42248 bcd01c 42249 bcd034 42248->42249 42250 bcd08e 42249->42250 42253 4de2c08 42249->42253 42262 4de0ad4 42249->42262 42254 4de2c0c 42253->42254 42255 4de2c79 42254->42255 42257 4de2c69 42254->42257 42287 4de0bfc 42255->42287 42271 4de2e6c 42257->42271 42277 4de2da0 42257->42277 42282 4de2d90 42257->42282 42258 4de2c77 42258->42258 42263 4de0adf 42262->42263 42264 4de2c79 42263->42264 42266 4de2c69 42263->42266 42265 4de0bfc CallWindowProcW 42264->42265 42267 4de2c77 42265->42267 42268 4de2e6c CallWindowProcW 42266->42268 42269 4de2d90 CallWindowProcW 42266->42269 42270 4de2da0 CallWindowProcW 42266->42270 42267->42267 42268->42267 42269->42267 42270->42267 42272 4de2e7a 42271->42272 42273 4de2e2a 42271->42273 42291 4de2e58 42273->42291 42294 4de2e48 42273->42294 42274 4de2e40 42274->42258 42279 4de2db4 42277->42279 42278 4de2e40 42278->42258 42280 4de2e58 CallWindowProcW 42279->42280 42281 4de2e48 CallWindowProcW 42279->42281 42280->42278 42281->42278 42284 4de2d94 42282->42284 42283 4de2e40 42283->42258 42285 4de2e58 CallWindowProcW 42284->42285 42286 4de2e48 CallWindowProcW 42284->42286 42285->42283 42286->42283 42288 4de0c07 42287->42288 42289 4de435a CallWindowProcW 42288->42289 42290 4de4309 42288->42290 42289->42290 42290->42258 42292 4de2e69 42291->42292 42298 4de429e 42291->42298 42292->42274 42295 4de2e4c 42294->42295 42296 4de2e69 42295->42296 42297 4de429e CallWindowProcW 42295->42297 42296->42274 42297->42296 42299 4de0bfc CallWindowProcW 42298->42299 42300 4de42aa 42299->42300 42300->42292 42301 c14668 42302 c14684 42301->42302 42303 c14696 42302->42303 42305 c147a0 42302->42305 42306 c147a4 42305->42306 42310 c148a1 42306->42310 42314 c148b0 42306->42314 42311 c148a4 42310->42311 42312 c149b4 42311->42312 42318 c14248 42311->42318 42316 c148d7 42314->42316 42315 c149b4 42315->42315 42316->42315 42317 c14248 CreateActCtxA 42316->42317 42317->42315 42319 c15940 CreateActCtxA 42318->42319 42321 c15a03 42319->42321 42321->42321 42322 c1d0b8 42323 c1d0fe 42322->42323 42327 c1d289 42323->42327 42331 c1d298 42323->42331 42324 c1d1eb 42328 c1d298 42327->42328 42334 c1c9a0 42328->42334 42332 c1c9a0 DuplicateHandle 42331->42332 42333 c1d2c6 42332->42333 42333->42324 42335 c1d300 DuplicateHandle 42334->42335 42336 c1d2c6 42335->42336 42336->42324 42337 c1ad38 42338 c1ad47 42337->42338 42341 c1ae20 42337->42341 42346 c1ae30 42337->42346 42343 c1ae24 42341->42343 42342 c1ae64 42342->42338 42343->42342 42344 c1b068 GetModuleHandleW 42343->42344 42345 c1b095 42344->42345 42345->42338 42347 c1ae64 42346->42347 42348 c1ae41 42346->42348 42347->42338 42348->42347 42349 c1b068 GetModuleHandleW 42348->42349 42350 c1b095 42349->42350 42350->42338

                        Executed Functions

                        Function 060F3F50 Relevance: .5, Instructions: 526COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 597a5d34ae3af5d2c427ed9fa87e179771ebecd0f896c52a4a81395dc0c1445b
                        • Instruction ID: 32755793910af50ec796e9aecc13857ff1aabc49c7b8ed5fc9ffb84a1772a514
                        • Opcode Fuzzy Hash: 597a5d34ae3af5d2c427ed9fa87e179771ebecd0f896c52a4a81395dc0c1445b
                        • Instruction Fuzzy Hash: 16127F34B502058FDB54DF68C884AAEBBF6BF88710B148169E906EB765DB71EC41CB90
                        Function 04DE6948 Relevance: .5, Instructions: 499COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2379471819.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_4de0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 61b7659ab07514ae9faee5d5c7985384225610975a979f97f044f4a668509d2b
                        • Instruction ID: 7dece76504e7ae550fb39bda26b366fc4ea264b18c40bcc7f86510859e7b9c49
                        • Opcode Fuzzy Hash: 61b7659ab07514ae9faee5d5c7985384225610975a979f97f044f4a668509d2b
                        • Instruction Fuzzy Hash: 9322E175A01228DFDB65DF61C954BE9BBB2FF49300F4084E9D109AB2A1DB75AE84CF40
                        Function 060F67D8 Relevance: .4, Instructions: 416COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1088167e9135a4bab1ce39819b7cfb47d09dbd680bea308633cd4b4f6126a92a
                        • Instruction ID: 7fbeeecbf0d845e369e6fdac5c3d3eb10bf982820da96fcdac9f9e77dcce21de
                        • Opcode Fuzzy Hash: 1088167e9135a4bab1ce39819b7cfb47d09dbd680bea308633cd4b4f6126a92a
                        • Instruction Fuzzy Hash: 67F1E230A102099FDB55DF68D880BAEBFF2EF88300F148569E645EB661DB71ED45CB90
                        Function 060FA3D8 Relevance: .3, Instructions: 297COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 046bfb0dae120f7b1d3691367617fe1bc725a1a9a0f585ce7380f43b39fd1238
                        • Instruction ID: 583a6d96b33e73c12542f6dfde43941c168e0434cc737ff27fd85dda5dcfcaa8
                        • Opcode Fuzzy Hash: 046bfb0dae120f7b1d3691367617fe1bc725a1a9a0f585ce7380f43b39fd1238
                        • Instruction Fuzzy Hash: C0D1E634A02218DFCB18EFB4D8546ADBBB2FF8A301F5085A9D50AAB354DB355985CF50
                        Function 060FA3E8 Relevance: .3, Instructions: 289COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 37eda86b6b71934ddb2a224b0797b17e0317ab72aac7befa85d239030e54e66f
                        • Instruction ID: 2e579c6dfb1ecc96e81c9e0dd55df1c48cc984e126525ba05540bf67b8d990e1
                        • Opcode Fuzzy Hash: 37eda86b6b71934ddb2a224b0797b17e0317ab72aac7befa85d239030e54e66f
                        • Instruction Fuzzy Hash: F6D1E534E02218DFCB18EFB4D8546ADBBB2FF8A301F5085A9D50AAB254DF319985CF41
                        Function 04DE7C20 Relevance: .3, Instructions: 279COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2379471819.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_4de0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0180eef11c4f708c2073dd874c6fb8849103d752915afd80a7a6d03c037e24a2
                        • Instruction ID: 0dcb4ce90273c23757aa2870500a038930ba6eb8eafb9ae84588183975659dae
                        • Opcode Fuzzy Hash: 0180eef11c4f708c2073dd874c6fb8849103d752915afd80a7a6d03c037e24a2
                        • Instruction Fuzzy Hash: 12C1A574E00619CFDB14DFA6D840AADFBB2FF89300F1491AAD409A7355EB30A985CF50
                        Function 04DE5A43 Relevance: .2, Instructions: 181COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2379471819.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_4de0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 284542ee37d027ef65542ae049a3bdcd0ccce3f5ce805721230e84318e47a458
                        • Instruction ID: c6edb9cfc49699693ec942ca585606b787e5edde01fab7cf43ce9c939ba99d3b
                        • Opcode Fuzzy Hash: 284542ee37d027ef65542ae049a3bdcd0ccce3f5ce805721230e84318e47a458
                        • Instruction Fuzzy Hash: 7F613C30A0031ADFDB05EFE1D9A59EEBBF6FF89344B254165D406AB261EB30AD41CB50
                        Function 04DE7C10 Relevance: .1, Instructions: 130COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2379471819.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_4de0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 20057255e114d7260f04348f7492c6ccd7da50f33e4891fc49b1b52373f3b842
                        • Instruction ID: 093140a8554c83fe5741f5e61563bbb10a006132035c1297b83b8ed7a77bd3fd
                        • Opcode Fuzzy Hash: 20057255e114d7260f04348f7492c6ccd7da50f33e4891fc49b1b52373f3b842
                        • Instruction Fuzzy Hash: 2051B875E006188BEB18DFA6D84579EBBB3BFC8300F14C0A9D419AB255EB3059469F50
                        Function 00C1AE30 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 c1ae30-c1ae3f 1 c1ae41-c1ae4e call c19838 0->1 2 c1ae6b-c1ae6f 0->2 7 c1ae50 1->7 8 c1ae64 1->8 4 c1ae71-c1ae7b 2->4 5 c1ae83-c1aec4 2->5 4->5 11 c1aed1-c1aedf 5->11 12 c1aec6-c1aece 5->12 60 c1ae56 call c1b0c8 7->60 61 c1ae56 call c1b0b8 7->61 8->2 13 c1aee1-c1aee6 11->13 14 c1af03-c1af05 11->14 12->11 16 c1aef1 13->16 17 c1aee8-c1aeef call c1a814 13->17 19 c1af08-c1af0f 14->19 15 c1ae5c-c1ae5e 15->8 18 c1afa0-c1afb7 15->18 23 c1aef3-c1af01 16->23 17->23 31 c1afb9-c1b018 18->31 21 c1af11-c1af19 19->21 22 c1af1c-c1af23 19->22 21->22 26 c1af30-c1af39 call c1a824 22->26 27 c1af25-c1af2d 22->27 23->19 32 c1af46-c1af4b 26->32 33 c1af3b-c1af43 26->33 27->26 51 c1b01a 31->51 34 c1af69-c1af76 32->34 35 c1af4d-c1af54 32->35 33->32 41 c1af99-c1af9f 34->41 42 c1af78-c1af96 34->42 35->34 37 c1af56-c1af66 call c1a834 call c1a844 35->37 37->34 42->41 52 c1b01c 51->52 53 c1b01e-c1b046 51->53 52->53 54 c1b048-c1b060 52->54 53->54 55 c1b062-c1b065 54->55 56 c1b068-c1b093 GetModuleHandleW 54->56 55->56 57 c1b095-c1b09b 56->57 58 c1b09c-c1b0b0 56->58 57->58 60->15 61->15
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000), ref: 00C1B086
                        Memory Dump Source
                        • Source File: 00000003.00000002.2367137253.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_c10000_RegAsm.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 07110f9f8ddb5cfa605da5e5aee728c852b89859bfea4f143bdacbbe38f43962
                        • Instruction ID: e0bbc7348facb4dc89759a3be435bd22cd94731c56dfae636b31cae06123399f
                        • Opcode Fuzzy Hash: 07110f9f8ddb5cfa605da5e5aee728c852b89859bfea4f143bdacbbe38f43962
                        • Instruction Fuzzy Hash: 3C8189B0A01B058FDB24DF69C04179ABBF1FF89304F00892DD09AD7A51DB74E986DB91
                        Function 00C15935 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 62 c15935-c15936 63 c15938-c15939 62->63 64 c1593a 62->64 63->64 65 c1593c 64->65 66 c1593e 64->66 65->66 67 c15940-c15a01 CreateActCtxA 66->67 69 c15a03-c15a09 67->69 70 c15a0a-c15a64 67->70 69->70 77 c15a73-c15a77 70->77 78 c15a66-c15a69 70->78 79 c15a79-c15a85 77->79 80 c15a88 77->80 78->77 79->80 82 c15a89 80->82 82->82
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 00C159F1
                        Memory Dump Source
                        • Source File: 00000003.00000002.2367137253.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_c10000_RegAsm.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 2cbc4902ff2d720cf2f175be5545dff683de937a385758f261e624f6e7d650b8
                        • Instruction ID: aa1f2ec676de54e2dd791d6ac32f2d6b53aa3dc4aacc5005629979437d511a08
                        • Opcode Fuzzy Hash: 2cbc4902ff2d720cf2f175be5545dff683de937a385758f261e624f6e7d650b8
                        • Instruction Fuzzy Hash: 2D41F2B0C00719CBEB14DFA9C984BDDBBB5BF85314F60816AD408BB251DBB56986CF50
                        Function 04DE0BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 83 4de0bfc-4de42fc 86 4de43ac-4de43cc call 4de0ad4 83->86 87 4de4302-4de4307 83->87 94 4de43cf-4de43dc 86->94 88 4de435a-4de4392 CallWindowProcW 87->88 89 4de4309-4de4340 87->89 92 4de439b-4de43aa 88->92 93 4de4394-4de439a 88->93 96 4de4349-4de4358 89->96 97 4de4342-4de4348 89->97 92->94 93->92 96->94 97->96
                        APIs
                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 04DE4381
                        Memory Dump Source
                        • Source File: 00000003.00000002.2379471819.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_4de0000_RegAsm.jbxd
                        Similarity
                        • API ID: CallProcWindow
                        • String ID:
                        • API String ID: 2714655100-0
                        • Opcode ID: 4a787d7b8ff3c3b2abc2b7e1dec9ae4bb998768a1dffa6c15b6836760dd7ab9e
                        • Instruction ID: 9b7e95b4123ce94a5730d2ede7c4aca755aef10aad01fb4d98da05313533de14
                        • Opcode Fuzzy Hash: 4a787d7b8ff3c3b2abc2b7e1dec9ae4bb998768a1dffa6c15b6836760dd7ab9e
                        • Instruction Fuzzy Hash: 8C4127B5A00309DFDB14DF9AC448AAABBF5FF88314F24C559D519AB321D774E841CBA0
                        Function 00C14248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 100 c14248-c15a01 CreateActCtxA 103 c15a03-c15a09 100->103 104 c15a0a-c15a64 100->104 103->104 111 c15a73-c15a77 104->111 112 c15a66-c15a69 104->112 113 c15a79-c15a85 111->113 114 c15a88 111->114 112->111 113->114 116 c15a89 114->116 116->116
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 00C159F1
                        Memory Dump Source
                        • Source File: 00000003.00000002.2367137253.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_c10000_RegAsm.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 68d64ed79bd41598eb55c32780e007fea338715857fdc63d8aabce81f367aed6
                        • Instruction ID: 14dd4a85a8797b90e96043a84db19be5a7802a86c3f9bb36f8dc0c6d2291e398
                        • Opcode Fuzzy Hash: 68d64ed79bd41598eb55c32780e007fea338715857fdc63d8aabce81f367aed6
                        • Instruction Fuzzy Hash: 9041C1B0C00719CBEB24CFAAC944BDDBBB5FF85704F60816AD408AB251DBB56985CF91
                        Function 00C1C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 117 c1c9a0-c1d394 DuplicateHandle 119 c1d396-c1d39c 117->119 120 c1d39d-c1d3ba 117->120 119->120
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C1D2C6,?,?,?,?,?), ref: 00C1D387
                        Memory Dump Source
                        • Source File: 00000003.00000002.2367137253.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_c10000_RegAsm.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 54dcc3697acad41fe93108a3c862b9477d47ae1325c24703ebca539baaeea6b4
                        • Instruction ID: 0ecbac891ab201462d163be0b57fd0d72148179ea966209d2f3f608e12d3391d
                        • Opcode Fuzzy Hash: 54dcc3697acad41fe93108a3c862b9477d47ae1325c24703ebca539baaeea6b4
                        • Instruction Fuzzy Hash: 8921E3B5900349DFDB10CF9AD984ADEBBF4EB48320F14841AE919B7310D774A954CFA5
                        Function 00C1D2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 123 c1d2f9-c1d394 DuplicateHandle 124 c1d396-c1d39c 123->124 125 c1d39d-c1d3ba 123->125 124->125
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C1D2C6,?,?,?,?,?), ref: 00C1D387
                        Memory Dump Source
                        • Source File: 00000003.00000002.2367137253.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_c10000_RegAsm.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 3c71942a89bbd3c75ad5341666c6da7ac6c348a88d7e0d14bbb272d7ce7d9cd5
                        • Instruction ID: 5fb8bde2b57e486e0dcd0880b1ff52978e4b3ceb508246d79e20bf13258bbcd6
                        • Opcode Fuzzy Hash: 3c71942a89bbd3c75ad5341666c6da7ac6c348a88d7e0d14bbb272d7ce7d9cd5
                        • Instruction Fuzzy Hash: 3221E3B59003499FDB10CFAAD984ADEBBF4EB48324F14841AE928B7210D374A954CFA1
                        Function 00C1B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 128 c1b020-c1b060 129 c1b062-c1b065 128->129 130 c1b068-c1b093 GetModuleHandleW 128->130 129->130 131 c1b095-c1b09b 130->131 132 c1b09c-c1b0b0 130->132 131->132
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000), ref: 00C1B086
                        Memory Dump Source
                        • Source File: 00000003.00000002.2367137253.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_c10000_RegAsm.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 23b8fb151fd2f4eb2b18cce30a6f37fccf9f6cb33710245d8b1874d27cd53663
                        • Instruction ID: 13427de1488a16933a85b2ea5fcc6810f5c2d8c4346f5d22a2ff6bd78701aecb
                        • Opcode Fuzzy Hash: 23b8fb151fd2f4eb2b18cce30a6f37fccf9f6cb33710245d8b1874d27cd53663
                        • Instruction Fuzzy Hash: 161102B6C007498FDB10CF9AC444ADEFBF4AB89724F10841AD428B7210C775AA45CFA1
                        Function 060F59C8 Relevance: 1.5, Strings: 1, Instructions: 286COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 134 60f59c8-60f59c9 135 60f59ce-60f59f3 134->135 136 60f59cb-60f59cc 134->136 137 60f59ff-60f5a0e 135->137 138 60f59f5-60f59f7 135->138 136->135 139 60f5a1a-60f5a2a 137->139 140 60f5a10 137->140 138->137 141 60f5a2d-60f5a4f 139->141 140->139 142 60f5c88-60f5ccf 141->142 143 60f5a55-60f5a5b 141->143 171 60f5ce5-60f5cf1 142->171 172 60f5cd1 142->172 144 60f5b34-60f5b38 143->144 145 60f5a61-60f5a67 143->145 147 60f5b5b-60f5b64 144->147 148 60f5b3a-60f5b43 144->148 145->142 146 60f5a6d-60f5a7a 145->146 150 60f5b13-60f5b1c 146->150 151 60f5a80-60f5a89 146->151 153 60f5b89-60f5b8c 147->153 154 60f5b66-60f5b86 147->154 148->142 152 60f5b49-60f5b59 148->152 150->142 157 60f5b22-60f5b2e 150->157 151->142 158 60f5a8f-60f5ab0 151->158 156 60f5b8f-60f5b95 152->156 153->156 154->153 156->142 159 60f5b9b-60f5bae 156->159 157->144 157->145 160 60f5abc-60f5ad7 158->160 161 60f5ab2 158->161 159->142 164 60f5bb4-60f5bc4 159->164 160->150 170 60f5ad9-60f5adf 160->170 161->160 164->142 165 60f5bca-60f5bd7 164->165 165->142 169 60f5bdd-60f5c02 165->169 169->142 184 60f5c08-60f5c20 169->184 173 60f5aeb-60f5af1 170->173 174 60f5ae1 170->174 178 60f5cfd-60f5d19 171->178 179 60f5cf3 171->179 176 60f5cd4-60f5ce3 172->176 173->142 175 60f5af7-60f5b10 173->175 174->173 176->171 179->178 184->142 187 60f5c22-60f5c2d 184->187 188 60f5c2f-60f5c39 187->188 189 60f5c7e-60f5c85 187->189 188->189 191 60f5c3b-60f5c51 188->191 193 60f5c5d-60f5c76 191->193 194 60f5c53 191->194 193->189 194->193
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID: d
                        • API String ID: 0-2564639436
                        • Opcode ID: 7cb093aa110004e637d740b97a6851a247850d0d90d7b55398e071de49b640ce
                        • Instruction ID: c6a2ea213a30364de543b4dfb65075d9308b1d63003ddaaf553e957438802b5c
                        • Opcode Fuzzy Hash: 7cb093aa110004e637d740b97a6851a247850d0d90d7b55398e071de49b640ce
                        • Instruction Fuzzy Hash: 55C16D34600606CFC765CF18C88096ABBF2FF89310B5ACA59D65A9BB65D730FD46CB90
                        Function 060D1BA0 Relevance: 1.4, Instructions: 1438COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 197 60d1ba0-60d1bc3 198 60d1bc5-60d1bc7 197->198 199 60d1bd1-60d1c2d 197->199 198->199 204 60d2056-60d209e 199->204 205 60d1c33-60d1c69 199->205 208 60d20b6-60d2119 204->208 209 60d20a0-60d20a6 204->209 205->204 217 60d1c6f-60d1ca5 205->217 227 60d211f-60d2139 208->227 228 60d2ea1-60d2ee8 208->228 211 60d20a8 209->211 212 60d20aa-60d20b4 209->212 211->208 212->208 217->204 224 60d1cab-60d1ce2 217->224 224->204 240 60d1ce8-60d1d1e 224->240 227->228 234 60d213f-60d216f 227->234 232 60d2eea-60d2ef0 228->232 233 60d2f00-60d2f78 228->233 236 60d2ef4-60d2efe 232->236 237 60d2ef2 232->237 258 60d2f7a-60d2fa0 233->258 259 60d2fa2-60d2fa9 233->259 248 60d2189-60d21d5 234->248 249 60d2171-60d2187 234->249 236->233 237->233 240->204 254 60d1d24-60d1d5a 240->254 261 60d21dc-60d21f9 248->261 249->261 254->204 270 60d1d60-60d1d9e 254->270 258->259 261->228 268 60d21ff-60d2235 261->268 277 60d224f-60d229b 268->277 278 60d2237-60d224d 268->278 270->204 279 60d1da4-60d1ded 270->279 286 60d22a2-60d22bf 277->286 278->286 279->204 296 60d1df3-60d1e29 279->296 286->228 290 60d22c5-60d22fb 286->290 299 60d22fd-60d2313 290->299 300 60d2315-60d2361 290->300 296->204 307 60d1e2f-60d1e65 296->307 308 60d2368-60d2385 299->308 300->308 307->204 317 60d1e6b-60d1ea1 307->317 308->228 314 60d238b-60d23c1 308->314 321 60d23db-60d2427 314->321 322 60d23c3-60d23d9 314->322 317->204 327 60d1ea7-60d1edd 317->327 330 60d242e-60d244b 321->330 322->330 327->204 338 60d1ee3-60d1efa 327->338 330->228 335 60d2451-60d2487 330->335 345 60d2489-60d249f 335->345 346 60d24a1-60d24f9 335->346 338->204 342 60d1f00-60d1f32 338->342 353 60d1f5c-60d1f9e 342->353 354 60d1f34-60d1f5a 342->354 355 60d2500-60d251d 345->355 346->355 370 60d1fbc-60d1fc8 353->370 371 60d1fa0-60d1fb6 353->371 368 60d1fce-60d2001 354->368 355->228 361 60d2523-60d2559 355->361 374 60d255b-60d2571 361->374 375 60d2573-60d25d1 361->375 368->204 381 60d2003-60d2039 368->381 370->368 371->370 383 60d25d8-60d25f5 374->383 375->383 381->204 392 60d203b-60d2053 381->392 383->228 388 60d25fb-60d2631 383->388 396 60d264b-60d26a9 388->396 397 60d2633-60d2649 388->397 402 60d26b0-60d26cd 396->402 397->402 402->228 406 60d26d3-60d2709 402->406 410 60d270b-60d2721 406->410 411 60d2723-60d2781 406->411 416 60d2788-60d27a5 410->416 411->416 416->228 420 60d27ab-60d27c5 416->420 420->228 422 60d27cb-60d27fb 420->422 426 60d27fd-60d2813 422->426 427 60d2815-60d2873 422->427 432 60d287a-60d2897 426->432 427->432 432->228 435 60d289d-60d28b7 432->435 435->228 438 60d28bd-60d28ed 435->438 442 60d28ef-60d2905 438->442 443 60d2907-60d2965 438->443 448 60d296c-60d2989 442->448 443->448 448->228 452 60d298f-60d29a9 448->452 452->228 454 60d29af-60d29df 452->454 458 60d29f9-60d2a57 454->458 459 60d29e1-60d29f7 454->459 464 60d2a5e-60d2a7b 458->464 459->464 464->228 468 60d2a81-60d2ab7 464->468 472 60d2ab9-60d2acf 468->472 473 60d2ad1-60d2b2f 468->473 478 60d2b36-60d2b53 472->478 473->478 478->228 481 60d2b59-60d2b8f 478->481 486 60d2ba9-60d2c07 481->486 487 60d2b91-60d2ba7 481->487 492 60d2c0e-60d2c2b 486->492 487->492 492->228 496 60d2c31-60d2c67 492->496 500 60d2c69-60d2c7f 496->500 501 60d2c81-60d2cdf 496->501 506 60d2ce6-60d2d03 500->506 501->506 506->228 510 60d2d09-60d2d3f 506->510 514 60d2d59-60d2db7 510->514 515 60d2d41-60d2d57 510->515 520 60d2dbe-60d2ddb 514->520 515->520 520->228 524 60d2de1-60d2e13 520->524 528 60d2e2d-60d2e82 524->528 529 60d2e15-60d2e2b 524->529 534 60d2e89-60d2e9e 528->534 529->534
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381714568.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60d0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1118cfd8f995d0cb2761a2d83cddcabb9d5c5062d6be60e487cc931e743bfdd7
                        • Instruction ID: 549f6d594e0b04de5a999b0fb4dc1ed84317e9693f129f49a4ac901b2b92bacf
                        • Opcode Fuzzy Hash: 1118cfd8f995d0cb2761a2d83cddcabb9d5c5062d6be60e487cc931e743bfdd7
                        • Instruction Fuzzy Hash: 42C24070B402189FDB54DF64C854AAEBBB2FF88704F108499E606AB3A1DB71EE45CF51
                        Function 060D3838 Relevance: .9, Instructions: 875COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 575 60d3838-60d3848 576 60d384a-60d3850 575->576 577 60d3860-60d38ac 575->577 578 60d3854-60d385e 576->578 579 60d3852 576->579 585 60d39c1-60d39f6 577->585 586 60d38b2-60d38eb 577->586 578->577 579->577 589 60d3a0e-60d3a55 585->589 590 60d39f8-60d39fe 585->590 586->585 598 60d38f1-60d392a 586->598 603 60d3a5b-60d3a92 589->603 604 60d3ae5-60d3b2e 589->604 592 60d3a00 590->592 593 60d3a02-60d3a0c 590->593 592->589 593->589 598->585 606 60d3930-60d3969 598->606 603->604 619 60d3a94-60d3aca 603->619 609 60d3b46-60d3b9f 604->609 610 60d3b30-60d3b36 604->610 606->585 624 60d396b-60d39a4 606->624 628 60d3ba5-60d3be4 609->628 629 60d4147-60d41d8 609->629 613 60d3b38 610->613 614 60d3b3a-60d3b44 610->614 613->609 614->609 619->604 632 60d3acc-60d3ae2 619->632 624->585 638 60d39a6-60d39be 624->638 628->629 643 60d3bea-60d3c06 628->643 653 60d41de-60d41fa 629->653 654 60d42a9-60d42b0 629->654 643->629 647 60d3c0c-60d3c43 643->647 656 60d3c6e-60d3cd5 647->656 657 60d3c45-60d3c69 647->657 663 60d41fc-60d4220 653->663 664 60d4222-60d4260 653->664 675 60d3cf7-60d3d05 656->675 676 60d3cd7-60d3cf1 656->676 670 60d3d0b-60d3d25 657->670 680 60d428a-60d42a3 663->680 683 60d427b-60d4284 664->683 684 60d4262-60d4275 664->684 670->629 677 60d3d2b-60d3d62 670->677 675->670 676->675 689 60d3d8d-60d3df0 677->689 690 60d3d64-60d3d88 677->690 680->653 680->654 683->680 684->683 700 60d3e12-60d3e20 689->700 701 60d3df2-60d3e0c 689->701 697 60d3e26-60d3e40 690->697 697->629 702 60d3e46-60d3e7d 697->702 700->697 701->700 706 60d3e7f-60d3ea3 702->706 707 60d3ea8-60d3f0b 702->707 714 60d3f41-60d3f5b 706->714 716 60d3f2d-60d3f3b 707->716 717 60d3f0d-60d3f27 707->717 714->629 719 60d3f61-60d3f98 714->719 716->714 717->716 723 60d3f9a-60d3fbe 719->723 724 60d3fc3-60d4026 719->724 731 60d405c-60d4076 723->731 733 60d4048-60d4056 724->733 734 60d4028-60d4042 724->734 731->629 736 60d407c-60d40b0 731->736 733->731 734->733 740 60d40d8-60d4128 736->740 741 60d40b2-60d40d6 736->741 748 60d412f-60d4144 740->748 741->748
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381714568.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60d0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3309be0afd404097ef2632719bded84ce2123475d754e4a1c6a304a6c4c09eca
                        • Instruction ID: ee379dc11224ba04886484ef2005ce27ba14cf3c257f40c2c99800d55716ff2b
                        • Opcode Fuzzy Hash: 3309be0afd404097ef2632719bded84ce2123475d754e4a1c6a304a6c4c09eca
                        • Instruction Fuzzy Hash: FA722A34B502049FCB44DF68C894EAABBF6FF89704F11819AE605DB3A1DB71ED418B61
                        Function 060D00D8 Relevance: .7, Instructions: 676COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1045 60d00d8-60d00fc 1047 60d00fe-60d0104 1045->1047 1048 60d0114-60d0135 1045->1048 1049 60d0108-60d010a 1047->1049 1050 60d0106 1047->1050 1053 60d0138-60d0145 1048->1053 1049->1048 1050->1048 1055 60d014b-60d0160 1053->1055 1056 60d076a-60d0774 1053->1056 1055->1053 1058 60d0162 1055->1058 1059 60d01de-60d0204 1058->1059 1060 60d0169-60d018c 1058->1060 1061 60d03aa-60d03cd 1058->1061 1062 60d049a-60d04bd 1058->1062 1063 60d02c4-60d02f2 1058->1063 1064 60d0337-60d035d 1058->1064 1065 60d0251-60d027f 1058->1065 1066 60d0422-60d0445 1058->1066 1067 60d0512-60d0535 1058->1067 1077 60d020a-60d020c 1059->1077 1114 60d0777-60d07a6 1060->1114 1115 60d0192-60d0196 1060->1115 1116 60d0819-60d0848 1061->1116 1117 60d03d3-60d03d7 1061->1117 1118 60d095d-60d098c 1062->1118 1119 60d04c3-60d04c7 1062->1119 1090 60d030a-60d0332 1063->1090 1091 60d02f4-60d02fa 1063->1091 1083 60d0363-60d0365 1064->1083 1092 60d0297-60d02bf 1065->1092 1093 60d0281-60d0287 1065->1093 1107 60d08bb-60d08ea 1066->1107 1108 60d044b-60d044f 1066->1108 1109 60d09ff-60d0a2e 1067->1109 1110 60d053b-60d053f 1067->1110 1086 60d020e-60d0214 1077->1086 1087 60d0224-60d024c 1077->1087 1088 60d037d-60d03a5 1083->1088 1089 60d0367-60d036d 1083->1089 1094 60d0218-60d021a 1086->1094 1095 60d0216 1086->1095 1087->1053 1088->1053 1098 60d036f 1089->1098 1099 60d0371-60d0373 1089->1099 1090->1053 1105 60d02fc 1091->1105 1106 60d02fe-60d0300 1091->1106 1092->1053 1100 60d0289 1093->1100 1101 60d028b-60d028d 1093->1101 1094->1087 1095->1087 1098->1088 1099->1088 1100->1092 1101->1092 1105->1090 1106->1090 1133 60d08f1-60d0920 1107->1133 1121 60d0455-60d045f 1108->1121 1122 60d0927-60d0956 1108->1122 1134 60d0a35-60d0a64 1109->1134 1123 60d0a6b-60d0d2e 1110->1123 1124 60d0545-60d054f 1110->1124 1142 60d07ad-60d07dc 1114->1142 1125 60d019c-60d01a6 1115->1125 1126 60d07e3-60d0812 1115->1126 1145 60d084f-60d087e 1116->1145 1127 60d03dd-60d03e7 1117->1127 1128 60d0885-60d08b4 1117->1128 1147 60d0993-60d09c2 1118->1147 1129 60d04cd-60d04d7 1119->1129 1130 60d09c9-60d09f8 1119->1130 1132 60d0465-60d0495 1121->1132 1121->1133 1122->1118 1124->1134 1135 60d0555-60d0585 1124->1135 1125->1142 1143 60d01ac-60d01d9 1125->1143 1126->1116 1144 60d03ed-60d041d 1127->1144 1127->1145 1128->1107 1146 60d04dd-60d050d 1129->1146 1129->1147 1130->1109 1132->1053 1133->1122 1134->1123 1135->1053 1142->1126 1143->1053 1144->1053 1145->1128 1146->1053 1147->1130
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381714568.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60d0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0ba8da78f9e166f26ccbe1a889252459a6ac4b3004c6b78d9b6f0f05af331fe3
                        • Instruction ID: c956ca0eefc9899c397b550dc63bc15ce202509a926eebeab1275f3b354d776a
                        • Opcode Fuzzy Hash: 0ba8da78f9e166f26ccbe1a889252459a6ac4b3004c6b78d9b6f0f05af331fe3
                        • Instruction Fuzzy Hash: 11426930700B199FDB68AF789450A6E7AF2FFC5614B400A5DD507AB390DFBAED058B81
                        Function 060D0D80 Relevance: .6, Instructions: 616COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1254 60d0d80-60d0dcb 1259 60d0efd-60d0f10 1254->1259 1260 60d0dd1-60d0dd3 1254->1260 1263 60d1006-60d1011 1259->1263 1264 60d0f16-60d0f25 1259->1264 1261 60d0dd6-60d0de5 1260->1261 1266 60d0e9d-60d0ea1 1261->1266 1267 60d0deb-60d0e1d 1261->1267 1268 60d1019-60d1022 1263->1268 1273 60d0f2b-60d0f51 1264->1273 1274 60d0fd1-60d0fd5 1264->1274 1269 60d0eb0 1266->1269 1270 60d0ea3-60d0eae 1266->1270 1305 60d0e1f-60d0e24 1267->1305 1306 60d0e26-60d0e2d 1267->1306 1272 60d0eb5-60d0eb8 1269->1272 1270->1272 1272->1268 1279 60d0ebe-60d0ec2 1272->1279 1303 60d0f5a-60d0f61 1273->1303 1304 60d0f53-60d0f58 1273->1304 1276 60d0fe4 1274->1276 1277 60d0fd7-60d0fe2 1274->1277 1280 60d0fe6-60d0fe8 1276->1280 1277->1280 1281 60d0ec4-60d0ecf 1279->1281 1282 60d0ed1 1279->1282 1286 60d1039-60d10b5 1280->1286 1287 60d0fea-60d0ff4 1280->1287 1288 60d0ed3-60d0ed5 1281->1288 1282->1288 1336 60d1189-60d119c 1286->1336 1337 60d10bb-60d10bd 1286->1337 1297 60d0ff7-60d1000 1287->1297 1292 60d0edb-60d0ee5 1288->1292 1293 60d1025-60d1032 1288->1293 1301 60d0ee8-60d0ef2 1292->1301 1293->1286 1297->1263 1297->1264 1301->1261 1312 60d0ef8 1301->1312 1307 60d0f86-60d0faa 1303->1307 1308 60d0f63-60d0f84 1303->1308 1313 60d0fc5-60d0fcf 1304->1313 1309 60d0e91-60d0e9b 1305->1309 1310 60d0e2f-60d0e50 1306->1310 1311 60d0e52-60d0e76 1306->1311 1326 60d0fac-60d0fb2 1307->1326 1327 60d0fc2 1307->1327 1308->1313 1309->1301 1310->1309 1328 60d0e8e 1311->1328 1329 60d0e78-60d0e7e 1311->1329 1312->1268 1313->1297 1331 60d0fb4 1326->1331 1332 60d0fb6-60d0fb8 1326->1332 1327->1313 1328->1309 1333 60d0e80 1329->1333 1334 60d0e82-60d0e84 1329->1334 1331->1327 1332->1327 1333->1328 1334->1328 1341 60d1234-60d1237 1336->1341 1342 60d11a2-60d11b1 1336->1342 1338 60d10c0-60d10cf 1337->1338 1344 60d1129-60d112d 1338->1344 1345 60d10d1-60d10dd 1338->1345 1343 60d1239-60d123b 1341->1343 1353 60d11ff-60d1203 1342->1353 1354 60d11b3-60d11dc 1342->1354 1346 60d123d-60d123f 1343->1346 1347 60d1249-60d1250 1343->1347 1348 60d113c 1344->1348 1349 60d112f-60d113a 1344->1349 1360 60d10e7-60d10fe 1345->1360 1355 60d1247 1346->1355 1352 60d1141-60d1144 1348->1352 1349->1352 1352->1355 1359 60d114a-60d114e 1352->1359 1357 60d1205-60d1210 1353->1357 1358 60d1212 1353->1358 1378 60d11de-60d11e4 1354->1378 1379 60d11f4-60d11fd 1354->1379 1355->1347 1363 60d1214-60d1216 1357->1363 1358->1363 1361 60d115d 1359->1361 1362 60d1150-60d115b 1359->1362 1369 60d1104-60d1106 1360->1369 1368 60d115f-60d1161 1361->1368 1362->1368 1366 60d1218-60d1222 1363->1366 1367 60d1267-60d1284 1363->1367 1384 60d1225-60d122e 1366->1384 1392 60d1298-60d12af 1367->1392 1393 60d1286-60d1291 1367->1393 1372 60d1167-60d1171 1368->1372 1373 60d1253-60d1260 1368->1373 1374 60d111e-60d1127 1369->1374 1375 60d1108-60d110e 1369->1375 1388 60d1174-60d117e 1372->1388 1373->1367 1374->1388 1382 60d1110 1375->1382 1383 60d1112-60d1114 1375->1383 1385 60d11e8-60d11ea 1378->1385 1386 60d11e6 1378->1386 1379->1384 1382->1374 1383->1374 1384->1341 1384->1342 1385->1379 1386->1379 1388->1338 1391 60d1184 1388->1391 1391->1355 1396 60d12c7-60d12e9 1392->1396 1397 60d12b1-60d12b7 1392->1397 1393->1343 1394 60d1293 1393->1394 1394->1392 1402 60d12ec-60d12f0 1396->1402 1398 60d12b9 1397->1398 1399 60d12bb-60d12bd 1397->1399 1398->1396 1399->1396 1403 60d12f9-60d12fe 1402->1403 1404 60d12f2-60d12f7 1402->1404 1405 60d1304-60d1307 1403->1405 1404->1405 1406 60d130d-60d1322 1405->1406 1407 60d14f8-60d1500 1405->1407 1406->1402 1409 60d1324 1406->1409 1410 60d1498 1409->1410 1411 60d132b-60d1350 1409->1411 1412 60d13e0-60d1405 1409->1412 1413 60d14a2-60d14b9 1410->1413 1424 60d1356-60d135a 1411->1424 1425 60d1352-60d1354 1411->1425 1422 60d140b-60d140f 1412->1422 1423 60d1407-60d1409 1412->1423 1416 60d14bf-60d14f3 1413->1416 1416->1402 1428 60d1411-60d142e 1422->1428 1429 60d1430-60d1453 1422->1429 1427 60d146d-60d1493 1423->1427 1431 60d135c-60d1379 1424->1431 1432 60d137b-60d139e 1424->1432 1430 60d13b8-60d13db 1425->1430 1427->1402 1428->1427 1446 60d146b 1429->1446 1447 60d1455-60d145b 1429->1447 1430->1402 1431->1430 1448 60d13b6 1432->1448 1449 60d13a0-60d13a6 1432->1449 1446->1427 1450 60d145d 1447->1450 1451 60d145f-60d1461 1447->1451 1448->1430 1452 60d13a8 1449->1452 1453 60d13aa-60d13ac 1449->1453 1450->1446 1451->1446 1452->1448 1453->1448
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381714568.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60d0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b477a63e247d1c92c8201dca9c90fb0d7a64ad7b20787189e3402cef8a4d17db
                        • Instruction ID: 4eebdb844d4f4fb0b2a4424d2cc06b32bb350c37bdf56f4ca2f87329287aa94b
                        • Opcode Fuzzy Hash: b477a63e247d1c92c8201dca9c90fb0d7a64ad7b20787189e3402cef8a4d17db
                        • Instruction Fuzzy Hash: 96229E30B403059FDB849B69C854A6EBBF6BF89304F1485AAE506CB392DF75DC41CB91
                        Function 060F48B8 Relevance: .6, Instructions: 595COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1454 60f48b8-60f48d2 1455 60f48d9-60f4900 1454->1455 1456 60f48d4 call 60f4650 1454->1456 1459 60f4906-60f490a 1455->1459 1460 60f4902-60f4904 1455->1460 1456->1455 1461 60f4910-60f4933 1459->1461 1460->1461 1466 60f493f-60f494b 1461->1466 1467 60f4935-60f493a 1461->1467 1472 60f497e-60f498a 1466->1472 1473 60f494d-60f4979 call 60f3f50 1466->1473 1468 60f4a1b-60f4a21 1467->1468 1470 60f4a27-60f4a47 1468->1470 1471 60f4a23 1468->1471 1484 60f4a49-60f4a4e 1470->1484 1485 60f4a53-60f4a68 1470->1485 1471->1470 1479 60f498c-60f4991 1472->1479 1480 60f4996-60f49aa 1472->1480 1473->1468 1479->1468 1490 60f49ac-60f49ce 1480->1490 1491 60f4a16 1480->1491 1488 60f4af0-60f4afe 1484->1488 1498 60f4a6e-60f4a7e 1485->1498 1499 60f4aeb 1485->1499 1496 60f4b16-60f4b22 1488->1496 1497 60f4b00-60f4b04 1488->1497 1511 60f49f4-60f4a0d 1490->1511 1512 60f49d0-60f49f2 1490->1512 1491->1468 1503 60f4b28-60f4b44 1496->1503 1504 60f4c06-60f4c3a 1496->1504 1502 60f4b0c-60f4b0e 1497->1502 1506 60f4a92-60f4a97 1498->1506 1507 60f4a80-60f4a90 1498->1507 1499->1488 1502->1496 1519 60f4bf2-60f4c00 1503->1519 1530 60f4c3c-60f4c50 1504->1530 1531 60f4c52-60f4c54 1504->1531 1506->1488 1507->1506 1517 60f4a99-60f4aa9 1507->1517 1511->1491 1527 60f4a0f-60f4a14 1511->1527 1512->1491 1512->1511 1525 60f4aab-60f4ab0 1517->1525 1526 60f4ab2-60f4ac2 1517->1526 1519->1504 1521 60f4b49-60f4b52 1519->1521 1528 60f4b58-60f4b6b 1521->1528 1529 60f4e11-60f4e38 1521->1529 1525->1488 1539 60f4acb-60f4adb 1526->1539 1540 60f4ac4-60f4ac9 1526->1540 1527->1468 1528->1529 1535 60f4b71-60f4b83 1528->1535 1541 60f4e3e-60f4e40 1529->1541 1542 60f4ecc-60f4f08 1529->1542 1530->1531 1533 60f4c56-60f4c68 1531->1533 1534 60f4c84-60f4cc4 1531->1534 1533->1534 1548 60f4c6a-60f4c7c 1533->1548 1623 60f4cc6 call 60f54f8 1534->1623 1624 60f4cc6 call 60f5508 1534->1624 1549 60f4bef 1535->1549 1550 60f4b85-60f4b91 1535->1550 1556 60f4add-60f4ae2 1539->1556 1557 60f4ae4-60f4ae9 1539->1557 1540->1488 1541->1542 1547 60f4e46-60f4e48 1541->1547 1581 60f4f0a-60f4f0c 1542->1581 1582 60f4f73-60f4f94 1542->1582 1547->1542 1553 60f4e4e-60f4e52 1547->1553 1548->1534 1549->1519 1550->1529 1551 60f4b97-60f4bec 1550->1551 1551->1549 1553->1542 1558 60f4e54-60f4e58 1553->1558 1556->1488 1557->1488 1562 60f4e6a-60f4eac 1558->1562 1563 60f4e5a-60f4e68 1558->1563 1560 60f4ccc-60f4ce0 1575 60f4d27-60f4d74 1560->1575 1576 60f4ce2-60f4cf9 1560->1576 1570 60f4eb4-60f4ec9 1562->1570 1563->1570 1611 60f4dc8-60f4ddf 1575->1611 1612 60f4d76-60f4d8f 1575->1612 1595 60f4cfb-60f4d05 1576->1595 1596 60f4d07-60f4d1f call 60f3f50 1576->1596 1586 60f4f0e-60f4f1d 1581->1586 1587 60f4f50-60f4f71 1581->1587 1589 60f4f1f-60f4f2c 1586->1589 1590 60f4f2d-60f4f37 1586->1590 1587->1582 1603 60f4f39-60f4f44 1590->1603 1604 60f4f46-60f4f4c 1590->1604 1595->1596 1596->1575 1613 60f4f4e 1603->1613 1604->1613 1618 60f4e05-60f4e0e 1611->1618 1619 60f4de1-60f4dfc 1611->1619 1616 60f4d99-60f4dc5 1612->1616 1617 60f4d91 1612->1617 1613->1587 1616->1611 1617->1616 1619->1618 1623->1560 1624->1560
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3dd3320302b7f8b66503551b6512891d6d20e20729d3b28c7a370abb9ca51e4b
                        • Instruction ID: 063b46e01ad06532721ff8983dae719b89a3eddf0e9f7f755c7b929cb75f842f
                        • Opcode Fuzzy Hash: 3dd3320302b7f8b66503551b6512891d6d20e20729d3b28c7a370abb9ca51e4b
                        • Instruction Fuzzy Hash: DA325D74750601CFDB58DF29C488A6ABBF2FF89300B1585A9EA06DB766DB30EC45CB50
                        Function 060D2071 Relevance: .6, Instructions: 569COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381714568.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60d0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c66b398503e2c71073d8f1aae061ae6b18124a9cb000a41a78b4049688f40214
                        • Instruction ID: 2eb991f58e46a5d3ad9a8a3d3b9de341413f0679a4127feca38461a7f7074df9
                        • Opcode Fuzzy Hash: c66b398503e2c71073d8f1aae061ae6b18124a9cb000a41a78b4049688f40214
                        • Instruction Fuzzy Hash: 52228270B402149FDB549B24C864EAE7BB2EFC8704F1185C9EA069B391DF71EE818F91
                        Function 060D00B8 Relevance: .3, Instructions: 338COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381714568.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60d0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a2bbb01a028b2f37aa70f9a9afaa2e6f2ead64075d1435e2865dbf0ba0e3bbba
                        • Instruction ID: f348c8beed9e557a51a1f7e39e979a7024294c97e38b45ee314c43d124b471ad
                        • Opcode Fuzzy Hash: a2bbb01a028b2f37aa70f9a9afaa2e6f2ead64075d1435e2865dbf0ba0e3bbba
                        • Instruction Fuzzy Hash: 17C14E34B407049FEB849F64C898B6E7AF6FF89704F10415AEA069B3A1DBB5DC41CB52
                        Function 060D1582 Relevance: .3, Instructions: 336COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381714568.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60d0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dc0a4e17a590dda31fbb8459dbeeee31898f3ab8e6ec3e4fc08337d82cb1c030
                        • Instruction ID: ebad115cc70c8a88a8f4d29cb1811df1edb19a9c45d5366139ea326328af4247
                        • Opcode Fuzzy Hash: dc0a4e17a590dda31fbb8459dbeeee31898f3ab8e6ec3e4fc08337d82cb1c030
                        • Instruction Fuzzy Hash: 42C1E530B403019FEB949BA8C458A6E7FE6AF89704F1045ABE602CB392DFB5DC41CB51
                        Function 060D0753 Relevance: .3, Instructions: 310COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381714568.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60d0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2b2650f8b2f0135ab0eec56acc1b08c82a3d99cb9bfd5840e4dd4c60bf4e4b7e
                        • Instruction ID: d41a61e94f3f673b4edacc99a4da080d1f89dea102d5da5b972e1b1ab6b2225b
                        • Opcode Fuzzy Hash: 2b2650f8b2f0135ab0eec56acc1b08c82a3d99cb9bfd5840e4dd4c60bf4e4b7e
                        • Instruction Fuzzy Hash: 89B14B34B40704DFEB849F64C898B6D7AA6EF89704F10815AEA069B3A1DBB5DC41CB91
                        Function 060D06DB Relevance: .3, Instructions: 309COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381714568.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60d0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ae4c277b26dcb2277b176081e200a5ea44a2c1aaf95cc17ea4b43e43c636953e
                        • Instruction ID: 942836300981fb3e37358beacbb46714621794e36b79a3f08aa74e553754ccf3
                        • Opcode Fuzzy Hash: ae4c277b26dcb2277b176081e200a5ea44a2c1aaf95cc17ea4b43e43c636953e
                        • Instruction Fuzzy Hash: 6FB15B34B40704DFEB849F64C898B6D7AB6EF89704F10815AEA069B3A1DFB5DC41CB91
                        Function 060D0663 Relevance: .3, Instructions: 309COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381714568.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60d0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 25cbdd374b625936c39e235de6226b44b54485ebf191afa24471ddb80e1a58a7
                        • Instruction ID: e1461034f5d9acfbcdc1ade34981b0c5e8090f2c8b1b2823c7d8736c01eb3b75
                        • Opcode Fuzzy Hash: 25cbdd374b625936c39e235de6226b44b54485ebf191afa24471ddb80e1a58a7
                        • Instruction Fuzzy Hash: 67B15A34B40704DFEB849F64C898B6D7AA6EF89704F10815AEA069B3A1DBB5DC41CB91
                        Function 060D05EB Relevance: .3, Instructions: 308COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381714568.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60d0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8d0a681f25fc99a3f006fa7f5a9c4905d5bb84fd642c2fa910dc4a830f93c42b
                        • Instruction ID: 64e332849bf88394edc54d12926566dd1589039420bf20c4551e0baf8525e785
                        • Opcode Fuzzy Hash: 8d0a681f25fc99a3f006fa7f5a9c4905d5bb84fd642c2fa910dc4a830f93c42b
                        • Instruction Fuzzy Hash: 16B15A34B407049FEB849F64C898B6D7AF6EF89704F10815AEA069B3A1DBB5DC41CB91
                        Function 060F48A8 Relevance: .3, Instructions: 279COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 166dfdfc8e655afb44f130d37dbbd3b28abf0fcc770974aa046853f570dc78dc
                        • Instruction ID: 361b78cc5b3f0bd569c9adcc0ab73db990fa3f2a578c387b830bb60f17e1934b
                        • Opcode Fuzzy Hash: 166dfdfc8e655afb44f130d37dbbd3b28abf0fcc770974aa046853f570dc78dc
                        • Instruction Fuzzy Hash: 07B13734B106058FDB54DF29C588AAABBF2BF88204B1544A8E546DB776DB30ED45CB50
                        Function 060F7D58 Relevance: .1, Instructions: 147COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3e3fb7b6f3da385383851220acf675ba9154f12debb3fc290aee5025c8dfffd8
                        • Instruction ID: 7d2b5942091488e32bc3157bef31282652183b5ad186adb0cdb5204717f5c372
                        • Opcode Fuzzy Hash: 3e3fb7b6f3da385383851220acf675ba9154f12debb3fc290aee5025c8dfffd8
                        • Instruction Fuzzy Hash: 4E514771E50318CFEB94CFA9D840BDEBBF1AF88700F14812AE515AB644EB749846CF81
                        Function 060D2FC8 Relevance: .1, Instructions: 143COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381714568.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60d0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7f6e761cb0c9905e1137693b5d4f5878fb3cf290b9052d9efd8abe678ae328b1
                        • Instruction ID: 5c8837b120e961f99efde0246e28a60280db2ace95a938755c35b823b37c25c8
                        • Opcode Fuzzy Hash: 7f6e761cb0c9905e1137693b5d4f5878fb3cf290b9052d9efd8abe678ae328b1
                        • Instruction Fuzzy Hash: 08514935B502199FCB48DF69C89499EBBF2FF89314B11806AED05AB361DB71EC05CB50
                        Function 060D34D8 Relevance: .1, Instructions: 143COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381714568.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60d0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ceb5b21ef72b3432c6a4ac0a5acdb77933e6ea59a6da7071b66b899c08f0a154
                        • Instruction ID: 94998ae701333d7feb5c594bb2409c2175f9ac9d6c9fad2772d32ce6b652e97d
                        • Opcode Fuzzy Hash: ceb5b21ef72b3432c6a4ac0a5acdb77933e6ea59a6da7071b66b899c08f0a154
                        • Instruction Fuzzy Hash: 23515A35B502159FCB58DF69C88499EBBF2FF89314B1181A9E905AB361DB70EC05CB60
                        Function 060D3818 Relevance: .1, Instructions: 137COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381714568.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60d0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4e9fdf02f0c8c9504a6984c68bd67f9750536fd0ddd7e3b332b0e4693424558d
                        • Instruction ID: a56a729c8fb8551732bdebf121141bcd8597af64d844842191ac572720974845
                        • Opcode Fuzzy Hash: 4e9fdf02f0c8c9504a6984c68bd67f9750536fd0ddd7e3b332b0e4693424558d
                        • Instruction Fuzzy Hash: 59515D34B542059FCB85DF58D998E6E7BE6EFCA700B118085EA059B3A6CB71DC018B72
                        Function 060F7D4C Relevance: .1, Instructions: 130COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 94227623b60b096fc7839eb7c788bf4b9d2095478cc71c1662956de9c94a419a
                        • Instruction ID: 5dc8b386ca704ef359841a1bef7a44ab55e8c77fa0d20fcdf86ee0fab67448d6
                        • Opcode Fuzzy Hash: 94227623b60b096fc7839eb7c788bf4b9d2095478cc71c1662956de9c94a419a
                        • Instruction Fuzzy Hash: C95156B0D503598FDB94CFA9D880BDEBFF1AF48700F14852AE405AB644EB749846CF82
                        Function 060F3DE0 Relevance: .1, Instructions: 113COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 75e8019bbce2f6052524f66604c738917e84ea6418b7fc838afe93c27cf5ca57
                        • Instruction ID: b1e5f0945a612820acaac0d029621f0b242bc13d985a41f7dbdc24c313025721
                        • Opcode Fuzzy Hash: 75e8019bbce2f6052524f66604c738917e84ea6418b7fc838afe93c27cf5ca57
                        • Instruction Fuzzy Hash: F331E3317042508FD72ABB38E8505AE7BE6DFC622031948BAD54ACB791DE75EC07C7A1
                        Function 060F5579 Relevance: .1, Instructions: 103COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 193b69f25ffe0309c0c21e40b155abe3b4d3aa00671b11bbc7e0c2f38f4e70a4
                        • Instruction ID: 421f57b71b3820b71102013142d60c904316b4533fcc792c32559b43018f06b3
                        • Opcode Fuzzy Hash: 193b69f25ffe0309c0c21e40b155abe3b4d3aa00671b11bbc7e0c2f38f4e70a4
                        • Instruction Fuzzy Hash: B2314B35B112149FCB59DF38D8849AEBFB2FF89201B148569EA05DB365DB30ED05CB90
                        Function 060F84C8 Relevance: .1, Instructions: 102COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 870a0691c78f394795425b5931a2dda1319d1e633f372451f1a09f6430bdb8e0
                        • Instruction ID: 9ddaea598a05e472fa857ec5db444d3672759dc867d77a8e63234af4c0622f42
                        • Opcode Fuzzy Hash: 870a0691c78f394795425b5931a2dda1319d1e633f372451f1a09f6430bdb8e0
                        • Instruction Fuzzy Hash: CD31DF757002148BDB58AF79A8542BE3BE7EFC8200B54447AD606CB385EE74DE0287D2
                        Function 060F5588 Relevance: .1, Instructions: 96COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a98abc486071aec98c391d5d75b23f1a0f662283f73f83f1ee65ee10cb8a39b6
                        • Instruction ID: b5d84b1397ba063efa8d9b47d909cdde76eaf038a08d50f1e68ac7e02d471aac
                        • Opcode Fuzzy Hash: a98abc486071aec98c391d5d75b23f1a0f662283f73f83f1ee65ee10cb8a39b6
                        • Instruction Fuzzy Hash: 1E315734B112109FCB49DF38D8849AEBFB2FF89201B008469FA068B365DB30ED01CB90
                        Function 060F87A0 Relevance: .1, Instructions: 93COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fb77bf13f051b862186bbc4da25c57a253c4df5ec1f2581e929263205f99d0eb
                        • Instruction ID: 50ecc114dd27cd7f8d995cf0bd771175c08094c447a2c47d74b566b696b1d6bb
                        • Opcode Fuzzy Hash: fb77bf13f051b862186bbc4da25c57a253c4df5ec1f2581e929263205f99d0eb
                        • Instruction Fuzzy Hash: B84101B1D112489FDB54CFAAD940ADEFFF6AF88310F10802AE515B7250DB74A946CF90
                        Function 060F8796 Relevance: .1, Instructions: 80COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cd9c900a160ac8507d75a39a885aea3910e0f7d7c6072d001ab693a29d46ba5a
                        • Instruction ID: 831f8d268396cb9649edb281212a21e89758c85d42c1650e4c429a9962fb216c
                        • Opcode Fuzzy Hash: cd9c900a160ac8507d75a39a885aea3910e0f7d7c6072d001ab693a29d46ba5a
                        • Instruction Fuzzy Hash: CE3112B1D112489FDB54DFAAC940ADEBFF6AF88310F14802AE415B7290DB749946CF50
                        Function 060F8A98 Relevance: .1, Instructions: 77COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eb37ad0523738089675a0ab7eb6aaa0507c83e76fa28777101faf92013c5cd9b
                        • Instruction ID: 22dfe5c17bf9b23a453ac07f8096601c5f4d345a12012fd407e56b83b4244701
                        • Opcode Fuzzy Hash: eb37ad0523738089675a0ab7eb6aaa0507c83e76fa28777101faf92013c5cd9b
                        • Instruction Fuzzy Hash: F63103B1D112489FDB54CFA9D894BDEBBF5AF88310F14842AE509B7240DB74A846CB90
                        Function 00BBD3D8 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2366868781.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_bbd000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dfd9ab88bdf9f9e2b11fec660cc2d20c3f11f34382e1274cf30b6ce085a5f531
                        • Instruction ID: 95a6abc66ffe626a499fcb0d7bc827d83e69233909e1952cbbcfa26b5d092926
                        • Opcode Fuzzy Hash: dfd9ab88bdf9f9e2b11fec660cc2d20c3f11f34382e1274cf30b6ce085a5f531
                        • Instruction Fuzzy Hash: 61214872100204DFDB04DF00D9C0B76BFA5FB94324F20C5ACD9090B316D3BAE856CAA2
                        Function 00BBD4C4 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2366868781.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_bbd000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fec11d462e2f53025f2e966b2e65ef8bebf633f6b7114697032f5b795c54921a
                        • Instruction ID: f502f219f4fe85b5dfce4ae6fef7f0f2a6ca8fca588543a8c44dfb88caf41e94
                        • Opcode Fuzzy Hash: fec11d462e2f53025f2e966b2e65ef8bebf633f6b7114697032f5b795c54921a
                        • Instruction Fuzzy Hash: 1A214572500240EFDB24DF14D9C0B7ABFA1FB94318F20C5A9D9090B216D3BAD856CAA1
                        Function 060D1069 Relevance: .1, Instructions: 73COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381714568.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60d0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 36950832e05e8cc4be91bb77cd7f031dbc683b49143008cd017527d8fb06af30
                        • Instruction ID: 83459e17834aad9cee0ac64097485e02524e39b6211165c70e0d4120aee4dae8
                        • Opcode Fuzzy Hash: 36950832e05e8cc4be91bb77cd7f031dbc683b49143008cd017527d8fb06af30
                        • Instruction Fuzzy Hash: 3F21D434B40204EFDB44DB69D9449AEBBFAFFD821071586AAE515873A1CF70DC50C7A1
                        Function 060F8F42 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e12b5377ade3840aa3971193f11fba83b8464ddcc094d7970d2dad83aaabd956
                        • Instruction ID: fc217602d83de2514a08da8cd6b8a2043132fb08b2e6e5125178b41657bebfdc
                        • Opcode Fuzzy Hash: e12b5377ade3840aa3971193f11fba83b8464ddcc094d7970d2dad83aaabd956
                        • Instruction Fuzzy Hash: 6131DE74D5521ADFDB80CFA8D484AEDBBF1EB48301F2080AAE515A7350E7345A85CF90
                        Function 00BCD01C Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2366909471.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_bcd000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e293396cf084a3ea32c011acfd3a931eab2424c33f9f9d7b62084b06cf5ced8a
                        • Instruction ID: 2f7ac3ee0b69cfc4e9992d9f618268a56ce19fcef692da05cff3c99f02c5b993
                        • Opcode Fuzzy Hash: e293396cf084a3ea32c011acfd3a931eab2424c33f9f9d7b62084b06cf5ced8a
                        • Instruction Fuzzy Hash: 43212F79604240EFCB14DF28D9D0F26BBA1FB84324F20C5BDD90A4B252C77AD847CA62
                        Function 060F8A8C Relevance: .1, Instructions: 69COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 88a6b4cec28315c608311260f7fd828c0d4840370ee224ee0f2fb33603550077
                        • Instruction ID: 2580eb87d4dad65d3409e907f147d495bd976ce9c60ecd516b746506d67167e2
                        • Opcode Fuzzy Hash: 88a6b4cec28315c608311260f7fd828c0d4840370ee224ee0f2fb33603550077
                        • Instruction Fuzzy Hash: 972115B1D113489FDB54CFA9C895BDEBFF9AF48710F14842AE505B7240DB74A846CBA0
                        Function 00BCD006 Relevance: .1, Instructions: 60COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2366909471.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_bcd000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5ae4b7b2997f98f45eef75ad909afbb926301184b29cdf3641ce6bc77ac2f474
                        • Instruction ID: e66a05fba0b1da027f30fe23b23908fd7b8e392dc3ed8f18e6490461b53fccb7
                        • Opcode Fuzzy Hash: 5ae4b7b2997f98f45eef75ad909afbb926301184b29cdf3641ce6bc77ac2f474
                        • Instruction Fuzzy Hash: BC21A4795093808FCB12CF24D990B15BFB1EB45314F28C5EED8498B657C33AD80ACB62
                        Function 060F6E72 Relevance: .1, Instructions: 58COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b1c43cf7f0716f1780725b885a0b6f0ecbda9c5fe0b66d79ce3fbe8e0e69d4ff
                        • Instruction ID: f2db38ac96e273d68c3af09234327809406b7b38f57687a2e6bb20d60d47216d
                        • Opcode Fuzzy Hash: b1c43cf7f0716f1780725b885a0b6f0ecbda9c5fe0b66d79ce3fbe8e0e69d4ff
                        • Instruction Fuzzy Hash: F1015E6210C2D43FC7268EA99C61CEB7FECDE8A251709409BFAD4C6153C429CA55E7B1
                        Function 00BBD4BF Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2366868781.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_bbd000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5a5504dfd99aeaae02a5904faf24bf7c180eb56da23d91347c8bcbb22ee6d9b3
                        • Instruction ID: a38a3132ac71b871c810eeac03a0a22b547035ff8949e00f57e1d702a7b404c6
                        • Opcode Fuzzy Hash: 5a5504dfd99aeaae02a5904faf24bf7c180eb56da23d91347c8bcbb22ee6d9b3
                        • Instruction Fuzzy Hash: A911E676504284CFCB15CF10D9C4B66BFB1FB94318F24C6E9D8494B616C37AD856CBA1
                        Function 00BBD3D3 Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2366868781.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_bbd000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5a5504dfd99aeaae02a5904faf24bf7c180eb56da23d91347c8bcbb22ee6d9b3
                        • Instruction ID: 0a35b0e4067b026e2074f6df26ed9a8883a7c06bc86bd1ca7e41b12501900d82
                        • Opcode Fuzzy Hash: 5a5504dfd99aeaae02a5904faf24bf7c180eb56da23d91347c8bcbb22ee6d9b3
                        • Instruction Fuzzy Hash: FB11D676504280DFCB15CF10D5C4B66BFB1FB94314F24C6A9D8094B716C37AD456CB91
                        Function 060FBC5F Relevance: .1, Instructions: 55COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 996061166737782f3b2d37134cf852e68d31bd683541417d1740c3ee0289f56a
                        • Instruction ID: 0b0c9ffdc9a1cc9ba83e9b1105fe0ed0bec535439d99c587060b2afc4755fc4f
                        • Opcode Fuzzy Hash: 996061166737782f3b2d37134cf852e68d31bd683541417d1740c3ee0289f56a
                        • Instruction Fuzzy Hash: 5901C4312122059FC699B734AC586BE3FE3EEC1351388495DE60797A91CDB07A4ECBE1
                        Function 060F8350 Relevance: .0, Instructions: 50COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 387eb7433cdea8f0638d529300138e42928e0332cc90bddd8991d91d281328e8
                        • Instruction ID: b4f25d5099e43b796db94e1786b9b4259f612439ed61abae02f7e202f4f899db
                        • Opcode Fuzzy Hash: 387eb7433cdea8f0638d529300138e42928e0332cc90bddd8991d91d281328e8
                        • Instruction Fuzzy Hash: 3E01D472B001099BDB54DEA9EC84ABFFBFAEBD4610B148036E604D3240EB70991587A0
                        Function 060FBC70 Relevance: .0, Instructions: 46COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8bd1e6388a1b518f164b76ae97d6dff89f9d9c4d330782e8be79c02562278719
                        • Instruction ID: a4371753e6fff3de42f160db0dd608d6bbf80c33f0eb39c47d5ed6c27b9b60de
                        • Opcode Fuzzy Hash: 8bd1e6388a1b518f164b76ae97d6dff89f9d9c4d330782e8be79c02562278719
                        • Instruction Fuzzy Hash: 8A01B1312112059F8688B738E85867E3BE3EFC4350388482DE60787A80DEF07D4E8B91
                        Function 00BBDAA5 Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2366868781.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_bbd000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5dc59c87336cf99f126477c28dd9ffc6a674a688a244b52b7257a5e35e2b0867
                        • Instruction ID: c87aadc6842ff52a5538ca3c4fa5afdab640942ef31baf3a6093f6aa6d5166b2
                        • Opcode Fuzzy Hash: 5dc59c87336cf99f126477c28dd9ffc6a674a688a244b52b7257a5e35e2b0867
                        • Instruction Fuzzy Hash: 7301F2710083449BE7208B25CDC4BB7BFD8DF81724F18C89AEE085A282DAFC9840C771
                        Function 060F5508 Relevance: .0, Instructions: 42COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d0d8292482387664d847a94a7e4779c4bcbd7cdf2cfe7ac182bd21ef82e1b48d
                        • Instruction ID: d02462348054c15ed07dbab4b4e9f9bdd50ba92202f8c73bc4850574d30e0ecc
                        • Opcode Fuzzy Hash: d0d8292482387664d847a94a7e4779c4bcbd7cdf2cfe7ac182bd21ef82e1b48d
                        • Instruction Fuzzy Hash: 8401D630A21302CFDBEA9B35A8145677FF3BF94605B04883CD60682D14DE71E480CB80
                        Function 060FE8B0 Relevance: .0, Instructions: 41COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5fc55ab2d815738a6883dd6863d14c6b1add2045ac5b9fbdc5d72da9c34fcb3d
                        • Instruction ID: 88bfb375d7a543d50de109cac4dafa1e7cb201c743f93e84f73ddaec3d0ba23e
                        • Opcode Fuzzy Hash: 5fc55ab2d815738a6883dd6863d14c6b1add2045ac5b9fbdc5d72da9c34fcb3d
                        • Instruction Fuzzy Hash: E701F434619308DFCB06EF74D8148A93FB6EF8620071488E9E505CB762EB36CD16CB90
                        Function 060FB358 Relevance: .0, Instructions: 40COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fe24eaf443306b0c58fdd7bd9edabfc63d4d80fef119ae1eb49f882a4bffa49a
                        • Instruction ID: 2736dab4793fba0b7713a2b85aedf0adbaf7617c97e29666f13e09e6a9ebea1a
                        • Opcode Fuzzy Hash: fe24eaf443306b0c58fdd7bd9edabfc63d4d80fef119ae1eb49f882a4bffa49a
                        • Instruction Fuzzy Hash: 2601B13090738AEFCB05EBB4E85859C7FB1FF45200B1405DED985A7291DA701A55CB51
                        Function 060F8F50 Relevance: .0, Instructions: 37COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bd5c58bd9c25b0f5809a4f028771ee3d6a06034dd89cce62963b7c7cff2e5d8a
                        • Instruction ID: 15ed4385417d0363dc3380c435c5bc1ec10db763c7c645d0761ab8d366b982bd
                        • Opcode Fuzzy Hash: bd5c58bd9c25b0f5809a4f028771ee3d6a06034dd89cce62963b7c7cff2e5d8a
                        • Instruction Fuzzy Hash: 0A01C4B4D4421ADFDB84DFA9D9446EEBBF1BB48301F1081A99515A3350E7780A44CF90
                        Function 00BBDAA4 Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2366868781.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_bbd000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a384dec1bfa64ef3141cfabc2f894af74d9c868655d6730df9d1e2bdf4383c76
                        • Instruction ID: 7b8dfabb9c6b606ed9f1464d2e64390b8c80cada3e22b432a198001de3eb0fd0
                        • Opcode Fuzzy Hash: a384dec1bfa64ef3141cfabc2f894af74d9c868655d6730df9d1e2bdf4383c76
                        • Instruction Fuzzy Hash: D3F0C272404344AFE7208E15CDC4B62FFD8EB81725F18C45AED085B286C3B89840CB71
                        Function 060F6EA0 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fb706c8e7e4a76f7767b31381f18b1ff88e90a731dc53ea3842a47d0c34b224e
                        • Instruction ID: a6be3dc251ef15970a23aa1c260adbb97324bc26eda12532ceaa4572b5f842a3
                        • Opcode Fuzzy Hash: fb706c8e7e4a76f7767b31381f18b1ff88e90a731dc53ea3842a47d0c34b224e
                        • Instruction Fuzzy Hash: BEF0A7722081E83F8B154E9A5C10CFB7FEDDA8E1617084056FED8C2151C469C921ABB0
                        Function 060FADE9 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 126d4444cf2c0df73f09957d752bf00df1900bac10b8ea68d40b47f61e105d7c
                        • Instruction ID: f2b2a34690f6fd50af46eecc604f38df640d40c287a686bfe8da1e54e6a26838
                        • Opcode Fuzzy Hash: 126d4444cf2c0df73f09957d752bf00df1900bac10b8ea68d40b47f61e105d7c
                        • Instruction Fuzzy Hash: 98F027302061507FC3106B68A858ADB7FE6DFCA711B44055EF10BD3242CAA41A4A8770
                        Function 060F67C8 Relevance: .0, Instructions: 34COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cb531023bfc6638caf8bf0b5e6b9d2985f17e619c6d3dee4b1dcdef4e8c96229
                        • Instruction ID: 11b3c7e0dcd9740570a81c34b27604aa110e48d9545d1110391fed5a4d8bd0b6
                        • Opcode Fuzzy Hash: cb531023bfc6638caf8bf0b5e6b9d2985f17e619c6d3dee4b1dcdef4e8c96229
                        • Instruction Fuzzy Hash: 5AF09031BA03009FD760CB68D841F957FE5AB42721F14866AE354CB6E2D6B1E8069740
                        Function 060F8341 Relevance: .0, Instructions: 34COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c9fc3ca2c24cae414527b2acb1adeebd197d500f9026368fce1b233659c69794
                        • Instruction ID: c96c89efc178690bc74eb1040d48154fa903a6295cee1fb12834e028caf71d56
                        • Opcode Fuzzy Hash: c9fc3ca2c24cae414527b2acb1adeebd197d500f9026368fce1b233659c69794
                        • Instruction Fuzzy Hash: 73F0A772F501154BCB60DE69AC846EFBBF9EB95290708403AEA54C3200FB34891A8791
                        Function 060FC170 Relevance: .0, Instructions: 34COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bd8a95a0d2b9f207d188df3f266ca1e627263d4017af5c5f274b083d68eb0296
                        • Instruction ID: fce6992d79b564be6c3556523f47c4558d4ad63eb7e52ba1584c85c358beaaee
                        • Opcode Fuzzy Hash: bd8a95a0d2b9f207d188df3f266ca1e627263d4017af5c5f274b083d68eb0296
                        • Instruction Fuzzy Hash: 3EF0A435503B058FD315DF25E90C562BBF6FF88301700865EE48BC2A55DB30A65ACF84
                        Function 060F54F8 Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fe504c795ae0de51e9a7e09ed91f6a0fe09620a02f37a13217e1ddf7e838f46e
                        • Instruction ID: a606611277df837cf822b1817dc6afe77cbbaf9b2e984261efa278d1f4fb0baf
                        • Opcode Fuzzy Hash: fe504c795ae0de51e9a7e09ed91f6a0fe09620a02f37a13217e1ddf7e838f46e
                        • Instruction Fuzzy Hash: 9CF0F6305153419FDBA6CF20D910A677FF2AF81614F48849DE14546D22D675E989CB40
                        Function 060FC110 Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4ef64d04cd97351649f032bfb33bf1d16b284a4d808ad3896f946f9603f13d5b
                        • Instruction ID: d8b308c825c7e569433dafa2d6d9cf2807f3a95b58725880dac3b0cbe47d1b56
                        • Opcode Fuzzy Hash: 4ef64d04cd97351649f032bfb33bf1d16b284a4d808ad3896f946f9603f13d5b
                        • Instruction Fuzzy Hash: F3F0963010A7D15FC312A739E81869B7FF6DFC2204B08059EE28687692CAA56A15C7A1
                        Function 060F8FC0 Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ec224d4d8a1c88ad4f50f148a30d47e4d59fd38f2f7d8a53ce233ce3bf0a9b85
                        • Instruction ID: 35e14a588466eca3dd0ea282316e37ca1cf46f40f7ccff27216a8e64b917fe09
                        • Opcode Fuzzy Hash: ec224d4d8a1c88ad4f50f148a30d47e4d59fd38f2f7d8a53ce233ce3bf0a9b85
                        • Instruction Fuzzy Hash: B6F0CDB1C48159DFDB80CFA4C8145EEBFB0EB5A201F0081CAE506E7750E7394A41CB40
                        Function 060FACB8 Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5764ef84d630fe5d2f2dfd7fb8317ac1fba27bf1bcdaffaf14d67ce9d6e4b6a1
                        • Instruction ID: 5b6d099a239bb5030ed7e0e47ae5cb8059e52ed95e3e673a922621f40a4d0caf
                        • Opcode Fuzzy Hash: 5764ef84d630fe5d2f2dfd7fb8317ac1fba27bf1bcdaffaf14d67ce9d6e4b6a1
                        • Instruction Fuzzy Hash: 27F0E26270B1A09FC7162B786C240AD3FB2DDD664234844CFE28BCB6A1CA544606C3E1
                        Function 060FB368 Relevance: .0, Instructions: 32COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a767f916ca5203babc52247d8e9e993978bd567e70f56566c0b50749334fd483
                        • Instruction ID: 539227b28f09af8688c5492d0df60f2edfd7d16c64552bfef6a78b9bd73eb830
                        • Opcode Fuzzy Hash: a767f916ca5203babc52247d8e9e993978bd567e70f56566c0b50749334fd483
                        • Instruction Fuzzy Hash: E7F01934E0224AEFCB48EBB8E85C59C7BB2FB84200B5445A9D906A7395DA702A558F41
                        Function 060FADF8 Relevance: .0, Instructions: 28COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7d10c5accd36d83c9bee33a6c4d4d07e4b4d60b12b9f62471e67a54051d9bc0b
                        • Instruction ID: a43c2945f1bc889145a900bd748ec8090ee943afc3b4392f5e9c9f7537ad453a
                        • Opcode Fuzzy Hash: 7d10c5accd36d83c9bee33a6c4d4d07e4b4d60b12b9f62471e67a54051d9bc0b
                        • Instruction Fuzzy Hash: EDE09231306110BFC3146A5AE848AEE7ADAEFCA751B80402DF20FD3242CEA1290547A5
                        Function 060FC180 Relevance: .0, Instructions: 27COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a655486aa217a06db09def32f2f5c66f1f652b9923b6308fbb56b01b50c2966f
                        • Instruction ID: 7ad6d098ade793f1400962e998e553744b04747fd8748bad80106bc43519dd5f
                        • Opcode Fuzzy Hash: a655486aa217a06db09def32f2f5c66f1f652b9923b6308fbb56b01b50c2966f
                        • Instruction Fuzzy Hash: E9F09034502B05CFD715DF26E80C522BBF6FB88301B00C62EE94B82A50DB70A54ACF84
                        Function 060FB500 Relevance: .0, Instructions: 25COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 167bee89d1bb60dacf3be430218b54e1ec83495c674dc68f0584281e84d8ef24
                        • Instruction ID: 9e771b97a7b8c0274347ad5e3010cbd7e96a857c673b23e2dab0f6e818623383
                        • Opcode Fuzzy Hash: 167bee89d1bb60dacf3be430218b54e1ec83495c674dc68f0584281e84d8ef24
                        • Instruction Fuzzy Hash: 1FF01535D0120EAFCB01DFB4E9488CEBFB9EB44200F1042AAE885E2280EA305B55DB81
                        Function 060FC120 Relevance: .0, Instructions: 25COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ab7199fcc46a12811af2fb667cb590008e059d2504d594891d592ec9a556ea4c
                        • Instruction ID: 98a82629d9a7260b0826faafdfc1afbfd0212cd2ad76698c068eb71a9b988cf0
                        • Opcode Fuzzy Hash: ab7199fcc46a12811af2fb667cb590008e059d2504d594891d592ec9a556ea4c
                        • Instruction Fuzzy Hash: 14E0A9302017968FC211AB29E80C7AE7FE6DFC1304F04092EE24687A81CBE1A9028B91
                        Function 060FCC38 Relevance: .0, Instructions: 25COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 44a28924695c92a5069e64e4388c8343fb071e3c2dbf287834fdb121e5d4c0fe
                        • Instruction ID: be733a54f5bd3b173f3dacedea0561c81235918cdff1e3e0d1476a38731f81d0
                        • Opcode Fuzzy Hash: 44a28924695c92a5069e64e4388c8343fb071e3c2dbf287834fdb121e5d4c0fe
                        • Instruction Fuzzy Hash: 48E026316076A09FC712FB29FC04ADB3FE1DF86B14B1045D6E20087746CA301946CBE1
                        Function 060F5698 Relevance: .0, Instructions: 24COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 94c96a573ece7ae16d07b16fed73563095f96405fdc2ff6bce893c9bae242591
                        • Instruction ID: 85b2632298bf412970efd37bad4ec979a434867f07372dcd5c8c7e1e206de8f1
                        • Opcode Fuzzy Hash: 94c96a573ece7ae16d07b16fed73563095f96405fdc2ff6bce893c9bae242591
                        • Instruction Fuzzy Hash: 58E092B211C3109FC3459B20EC44896BBA8EB95221B05886EF590C7241E732E882CBA5
                        Function 060FE280 Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3af9b989e3ae656adf8cdfd820df18dddab516cdb3578fdb35b74133e7e8c065
                        • Instruction ID: 559aa49895052b21516ea337ea0c2e7ba4bd5e9c6fd32bc226a123b1ff61f720
                        • Opcode Fuzzy Hash: 3af9b989e3ae656adf8cdfd820df18dddab516cdb3578fdb35b74133e7e8c065
                        • Instruction Fuzzy Hash: B1E0D831805B019FC745FB10FD039453FF1EB5AB04B111499DE40477A5DB641E99CBD2
                        Function 060FCE88 Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6beab823045241e357ab4f8ce397ea9a7bcadcd5ec0c534417647c4e0bf24c99
                        • Instruction ID: 8dbc5b18078f28bc7acb41e801ed280c5511fadd5f97c87917e105142ccbd0a9
                        • Opcode Fuzzy Hash: 6beab823045241e357ab4f8ce397ea9a7bcadcd5ec0c534417647c4e0bf24c99
                        • Instruction Fuzzy Hash: 5BE0DF7080A791AFD742F720B805AAA3FB59F46B14B1509CAEE808BB46CA748945C7D0
                        Function 060FE1FF Relevance: .0, Instructions: 22COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5e1af830e706d19b518daea391a3a9f272c3173032f18faa7392843bca6c7b7c
                        • Instruction ID: c8b59d67f2521917a705b41bdf1ac9ab245f5c4851a12d2d5b611f761254fcfc
                        • Opcode Fuzzy Hash: 5e1af830e706d19b518daea391a3a9f272c3173032f18faa7392843bca6c7b7c
                        • Instruction Fuzzy Hash: A5E0D871E06204FFC701DFA4EC409DD3BB1DF82600F2041DAE805D7251D5B01F108752
                        Function 060FAC80 Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: aea11208f9b265738795fc6fd9810d8e1f43f739d26a4c79610f5aa18fd4fe3a
                        • Instruction ID: 42fa68fde5f444e15db43edc544179e6b60e26f02f75165e3316c9cd60e45cc8
                        • Opcode Fuzzy Hash: aea11208f9b265738795fc6fd9810d8e1f43f739d26a4c79610f5aa18fd4fe3a
                        • Instruction Fuzzy Hash: AFD05E31302129A78A097769F4184BE7BFBEEC5A62344042EE70BC3240CFA52D4287D5
                        Function 060FB510 Relevance: .0, Instructions: 19COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8e0b4c16fd6d6387562cd713c88069defc9d8484cebdb46d22ff920b1419b6cc
                        • Instruction ID: 56e10b76a4360f72d75c3123754d7cabf776b5f684999d444ea2ec480a0859ac
                        • Opcode Fuzzy Hash: 8e0b4c16fd6d6387562cd713c88069defc9d8484cebdb46d22ff920b1419b6cc
                        • Instruction Fuzzy Hash: 81E09275D0120DEFCB40DFE5E9488DDBBB9FB48200F1082AAD909A3240EB316B56DF80
                        Function 060FE8F8 Relevance: .0, Instructions: 18COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ec47609268b5d8d2fab67b4e42360d937d1b677eab2dd6f7d84dff28fb9cad57
                        • Instruction ID: 86e5af9b367c98c5d5a192be47913262905b9a3b4d7e5a5863e7a85543ac0acb
                        • Opcode Fuzzy Hash: ec47609268b5d8d2fab67b4e42360d937d1b677eab2dd6f7d84dff28fb9cad57
                        • Instruction Fuzzy Hash: F7D01739225140AFCB029B64C940CA63F36AF5A61030880C6F5458F6B2C232C925DB60
                        Function 060FE210 Relevance: .0, Instructions: 16COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4303490cf6d99ccb0b82cc97aa20fa6abb40953d759456d6b7a08805599c8d46
                        • Instruction ID: ae829060d81d58e473e326d30b740be0e54397150c190c240579a67727730379
                        • Opcode Fuzzy Hash: 4303490cf6d99ccb0b82cc97aa20fa6abb40953d759456d6b7a08805599c8d46
                        • Instruction Fuzzy Hash: 8CD01271A0120CFF8B44EFA8E90155D77F5DF45604B5045DDD509E3200DA712F009B90
                        Function 060FF8EA Relevance: .0, Instructions: 14COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: baf788054bec060be4af8c475c274bb3b368da56e7d5f0b1fd0538a7c990c24a
                        • Instruction ID: e3300e86139a94cb03c4310134a3653f99aaad7e0e9700f8a838195ee66f3973
                        • Opcode Fuzzy Hash: baf788054bec060be4af8c475c274bb3b368da56e7d5f0b1fd0538a7c990c24a
                        • Instruction Fuzzy Hash: 0BC012327151200F8784BA6C78142AD6AD786C86A33C9406BEA0EE3388CDB08D428B94
                        Function 060F3721 Relevance: .0, Instructions: 11COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f73a013390103355e8d88c42060b7fc93f0c34dbb5a1d86ed30d0bab04ad4856
                        • Instruction ID: 62c570575c50fca91f05b7352185fb23656644a99ab6441e17c281cabb97e7a8
                        • Opcode Fuzzy Hash: f73a013390103355e8d88c42060b7fc93f0c34dbb5a1d86ed30d0bab04ad4856
                        • Instruction Fuzzy Hash: 38C08C3119D3805FD3168B108C87A913F71EB82705B0A0082EAC2DB0A3CA69902CC276
                        Function 060FDFD1 Relevance: .0, Instructions: 8COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 20fc870dec95435494f246eb964d304d25c7af9f6569f6f740a396199a42e170
                        • Instruction ID: 560a06b5f9169367ad1610b94a2219ec0b626c77d2cb5ff39340825802dc21e1
                        • Opcode Fuzzy Hash: 20fc870dec95435494f246eb964d304d25c7af9f6569f6f740a396199a42e170
                        • Instruction Fuzzy Hash: 5EC04C7254B7D05EDB0257749D1D4053E615F4671471501CBA2818A4A3D5214019C751

                        Non-executed Functions

                        Function 060F6FE8 Relevance: .8, Instructions: 786COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b30372109e3fc0f05f22b84a17434c64de3b0620e559965176fb9b1a2b030554
                        • Instruction ID: 4737018bef3df081192a1d8f6957783978ac6089580c4286f6dec358fb115fe5
                        • Opcode Fuzzy Hash: b30372109e3fc0f05f22b84a17434c64de3b0620e559965176fb9b1a2b030554
                        • Instruction Fuzzy Hash: 9B622EB06002009BE74CEF59D45476A7EE6EF84308F64C5AC910A9F396DFF6D90B8B91
                        Function 060F6FF8 Relevance: .8, Instructions: 780COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2381746585.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4f1ee12b54d2aa7dac6cf75ebd311bd2799e8207d09cc19cd347acef467d33b2
                        • Instruction ID: 6a1eaae3fc0a40df10ff961b9040f2a03866eeb6cc5c2e75104ee83bd55661de
                        • Opcode Fuzzy Hash: 4f1ee12b54d2aa7dac6cf75ebd311bd2799e8207d09cc19cd347acef467d33b2
                        • Instruction Fuzzy Hash: F9622EB06002009BE74CEF59D45476A7EE6EF84308F64C5AC910A9F392DFF6D90B8B95
                        Function 04DE0040 Relevance: .3, Instructions: 315COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2379471819.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_4de0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1e3e5a2f6e527d979b2394a28d203786b358eb4d06dc5b1658b4eb11f7acc6c2
                        • Instruction ID: 478f10cf33c3792724d5d7ef75857c67aecb66f5a615c46a10ca610b4984cf62
                        • Opcode Fuzzy Hash: 1e3e5a2f6e527d979b2394a28d203786b358eb4d06dc5b1658b4eb11f7acc6c2
                        • Instruction Fuzzy Hash: 0F1297B2C82B45CAEB90CF65E84C18D3BB1B741318BD16A09D3631B2D5D7B419E6CF48
                        Function 00C1DC74 Relevance: .3, Instructions: 264COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2367137253.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_c10000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7427e78dfe54634291b5424b24521a8a4cb584af1f822ab93bd501931a5ae1ef
                        • Instruction ID: 5e561b1d442f089094b11b68ffbf6eda7fee132f5f629a78d0077d126df7e734
                        • Opcode Fuzzy Hash: 7427e78dfe54634291b5424b24521a8a4cb584af1f822ab93bd501931a5ae1ef
                        • Instruction Fuzzy Hash: 74A17D32E002158FCF05DFB4C8405DEB7B2FF86300B15457AE916AB265DB71EA96EB80
                        Function 04DE0007 Relevance: .2, Instructions: 244COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.2379471819.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_4de0000_RegAsm.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 91330fdc8a7031c7de50caddc14ad77315d2d3045cfd483d9dd509b55def95d1
                        • Instruction ID: 16e660e31f18c86e3bcb9ec924f1e5a576ea36da17c0286df77fea72e3739abd
                        • Opcode Fuzzy Hash: 91330fdc8a7031c7de50caddc14ad77315d2d3045cfd483d9dd509b55def95d1
                        • Instruction Fuzzy Hash: E1C10CB1C82745CBDB91CF25E84818D7BB1BB85314B916A09D3636B2D1DBB418EACF48