Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kYpONUhAR5.exe

Overview

General Information

Sample name:kYpONUhAR5.exe
renamed because original name is a hash value
Original sample name:58e8b2eb19704c5a59350d4ff92e5ab6.exe
Analysis ID:1520626
MD5:58e8b2eb19704c5a59350d4ff92e5ab6
SHA1:171fc96dda05e7d275ec42840746258217d9caf0
SHA256:07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834
Tags:exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Installs new ROOT certificates
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • kYpONUhAR5.exe (PID: 4508 cmdline: "C:\Users\user\Desktop\kYpONUhAR5.exe" MD5: 58E8B2EB19704C5A59350D4FF92E5AB6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.215.113.67:15206"], "Bot Id": "newbundle2", "Message": "", "Authorization Header": "3367ae7efa83bc64a8a6c00729e22b91"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
kYpONUhAR5.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.2140548501.0000000000E32000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: kYpONUhAR5.exe PID: 4508JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: kYpONUhAR5.exe PID: 4508JoeSecurity_RedLineYara detected RedLine StealerJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.kYpONUhAR5.exe.e30000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-27T17:22:10.992909+020020432341A Network Trojan was detected185.215.113.6715206192.168.2.649710TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-27T17:22:10.765544+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:16.045665+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:17.464550+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:17.712642+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:18.015035+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:18.279185+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:18.507423+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:20.639665+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:21.236540+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:21.469573+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:21.703432+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:22.134212+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:22.402884+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:22.728365+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:22.960033+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:23.210740+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:23.558591+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:23.564561+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:24.791517+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:25.161436+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:25.420755+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:25.678762+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:25.923591+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  2024-09-27T17:22:26.203907+020020432311A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-27T17:22:16.363786+020020460561A Network Trojan was detected185.215.113.6715206192.168.2.649710TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-27T17:22:10.765544+020020460451A Network Trojan was detected192.168.2.649710185.215.113.6715206TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: kYpONUhAR5.exeMalware Configuration Extractor: RedLine {"C2 url": ["185.215.113.67:15206"], "Bot Id": "newbundle2", "Message": "", "Authorization Header": "3367ae7efa83bc64a8a6c00729e22b91"}
                  Multi AV Scanner detection for submitted file
                  Source: kYpONUhAR5.exeReversingLabs: Detection: 81%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: kYpONUhAR5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: kYpONUhAR5.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.6:49710 -> 185.215.113.67:15206
                  Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.6:49710 -> 185.215.113.67:15206
                  Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 185.215.113.67:15206 -> 192.168.2.6:49710
                  Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 185.215.113.67:15206 -> 192.168.2.6:49710
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 185.215.113.67:15206
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 185.215.113.67 ports 0,1,2,5,6,15206
                  Source: global trafficTCP traffic: 192.168.2.6:49710 -> 185.215.113.67:15206
                  Source: Joe Sandbox ViewIP Address: 185.215.113.67 185.215.113.67
                  Source: Joe Sandbox ViewIP Address: 185.215.113.67 185.215.113.67
                  Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000032DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000032DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000337F000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003269000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000035A1000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16V
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000035A1000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000035A1000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000032DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000032DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031D8000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000032E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003597000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003269000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003269000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                  Source: kYpONUhAR5.exeString found in binary or memory: https://api.ip.sb/ip
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp383F.tmpJump to dropped file
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp382E.tmpJump to dropped file
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeCode function: 0_2_017DDC740_2_017DDC74
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeCode function: 0_2_06A767D80_2_06A767D8
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeCode function: 0_2_06A7A3E80_2_06A7A3E8
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeCode function: 0_2_06A7A3D80_2_06A7A3D8
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeCode function: 0_2_06A76FE80_2_06A76FE8
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeCode function: 0_2_06A76FF80_2_06A76FF8
                  Source: kYpONUhAR5.exe, 00000000.00000000.2140592254.0000000000E76000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHooshes.exe8 vs kYpONUhAR5.exe
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirefox.exe0 vs kYpONUhAR5.exe
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs kYpONUhAR5.exe
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs kYpONUhAR5.exe
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs kYpONUhAR5.exe
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs kYpONUhAR5.exe
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs kYpONUhAR5.exe
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\080904B0\\OriginalFilename vs kYpONUhAR5.exe
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs kYpONUhAR5.exe
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs kYpONUhAR5.exe
                  Source: kYpONUhAR5.exe, 00000000.00000002.2319502479.000000000146E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs kYpONUhAR5.exe
                  Source: kYpONUhAR5.exeBinary or memory string: OriginalFilenameHooshes.exe8 vs kYpONUhAR5.exe
                  Source: kYpONUhAR5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/5@0/1
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp382E.tmpJump to behavior
                  Source: kYpONUhAR5.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: kYpONUhAR5.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: kYpONUhAR5.exeReversingLabs: Detection: 81%
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: esdsip.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                  Source: Google Chrome.lnk.0.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: kYpONUhAR5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: kYpONUhAR5.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: kYpONUhAR5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: kYpONUhAR5.exeStatic PE information: 0xEAE6B680 [Fri Nov 19 07:02:24 2094 UTC]
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeCode function: 0_2_06A7C711 push es; ret 0_2_06A7C720
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeCode function: 0_2_06A7D413 push es; ret 0_2_06A7D420
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeCode function: 0_2_06A7ECF2 push eax; ret 0_2_06A7ED01

                  Persistence and Installation Behavior

                  barindex
                  Installs new ROOT certificates
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeMemory allocated: 17D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeMemory allocated: 3130000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeMemory allocated: 5130000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeWindow / User API: threadDelayed 1299Jump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeWindow / User API: threadDelayed 8534Jump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exe TID: 6516Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                  Source: kYpONUhAR5.exe, 00000000.00000002.2324939882.0000000006E9F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllYY=
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.000000000370A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeQueries volume information: C:\Users\user\Desktop\kYpONUhAR5.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: kYpONUhAR5.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.kYpONUhAR5.exe.e30000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.2140548501.0000000000E32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: kYpONUhAR5.exe PID: 4508, type: MEMORYSTR
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q4C:\Users\user\AppData\Roaming\Electrum\wallets\*
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qdC:\Users\user\AppData\Roaming\Binance
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q&%localappdata%\Coinomi\Coinomi\walletsLR
                  Source: kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q8C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                  Source: C:\Users\user\Desktop\kYpONUhAR5.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                  Source: Yara matchFile source: 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: kYpONUhAR5.exe PID: 4508, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: kYpONUhAR5.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.kYpONUhAR5.exe.e30000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.2140548501.0000000000E32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: kYpONUhAR5.exe PID: 4508, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Masquerading                  		1
                  OS Credential Dumping                  		1
                  Query Registry                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		LSASS Memory221
                  Security Software Discovery                  		Remote Desktop Protocol3
                  Data from Local System                  		1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                  Virtualization/Sandbox Evasion                  		Security Account Manager1
                  Process Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Obfuscated Files or Information                  		NTDS241
                  Virtualization/Sandbox Evasion                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Install Root Certificate                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Timestomp                  		Cached Domain Credentials1
                  File and Directory Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSync113
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  kYpONUhAR5.exe82%ReversingLabsByteCode-MSIL.Trojan.Whispergate

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  https://api.ip.sb/ip0%URL Reputationsafe
                  http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sctkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://tempuri.org/Entity/Id14ResponseDkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://tempuri.org/Entity/Id23ResponseDkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000032E6000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinarykYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://tempuri.org/Entity/Id12ResponsekYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://tempuri.org/kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://tempuri.org/Entity/Id2ResponsekYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://tempuri.org/Entity/Id21ResponsekYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://tempuri.org/Entity/Id9kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://tempuri.org/Entity/Id8kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://tempuri.org/Entity/Id6ResponseDkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003597000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://tempuri.org/Entity/Id5kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/PreparekYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://tempuri.org/Entity/Id4kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://tempuri.org/Entity/Id7kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://tempuri.org/Entity/Id6kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://tempuri.org/Entity/Id19ResponsekYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensekYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssuekYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencekYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://tempuri.org/Entity/Id13ResponseDkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/faultkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsatkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeykYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://tempuri.org/Entity/Id15ResponsekYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://tempuri.org/Entity/Id5ResponseDkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namekYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://tempuri.org/Entity/Id6ResponsekYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeykYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://api.ip.sb/ipkYpONUhAR5.exefalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://schemas.xmlsoap.org/ws/2004/04/sckYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id1ResponseDkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id9ResponsekYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003269000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id20kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id21kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id22kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id23kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000032DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id24kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssuekYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://tempuri.org/Entity/Id24ResponsekYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://tempuri.org/Entity/Id1ResponsekYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedkYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlykYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplaykYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegokYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinarykYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeykYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://tempuri.org/Entity/Id21ResponseDkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000035A1000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressingkYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssuekYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trustkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://tempuri.org/Entity/Id10kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://tempuri.org/Entity/Id11kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://tempuri.org/Entity/Id10ResponseDkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000032DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://tempuri.org/Entity/Id12kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://tempuri.org/Entity/Id16ResponsekYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsekYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://tempuri.org/Entity/Id13kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://tempuri.org/Entity/Id14kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://tempuri.org/Entity/Id15kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://tempuri.org/Entity/Id16kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/NoncekYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            http://tempuri.org/Entity/Id17kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              http://tempuri.org/Entity/Id18kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                http://tempuri.org/Entity/Id5ResponsekYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  http://tempuri.org/Entity/Id19kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnskYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      http://tempuri.org/Entity/Id15ResponseDkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        http://tempuri.org/Entity/Id10ResponsekYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000032DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RenewkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            http://tempuri.org/Entity/Id11ResponseDkYpONUhAR5.exe, 00000000.00000002.2320321106.000000000337F000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              http://tempuri.org/Entity/Id8ResponsekYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeykYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentitykYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          http://tempuri.org/Entity/Id17ResponseDkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            http://schemas.xmlsoap.org/soap/envelope/kYpONUhAR5.exe, 00000000.00000002.2320321106.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            http://tempuri.org/Entity/Id8ResponseDkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeykYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1kYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trustkYpONUhAR5.exe, 00000000.00000002.2320321106.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		unknown

                                                                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                                                                    Public IPs

                                                                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                    185.215.113.67
                                                                                                                                                                                                                    		unknownPortugal
                                                                                                                                                                                                                    		206894WHOLESALECONNECTIONSNLtrue

                                                                                                                                                                                                                    General Information

                                                                                                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                    Analysis ID:1520626
                                                                                                                                                                                                                    Start date and time:2024-09-27 17:21:11 +02:00
                                                                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                    Overall analysis duration:0h 4m 34s
                                                                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                    Report type:full
                                                                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                    Number of analysed new started processes analysed:6
                                                                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                                                                    Technologies:
                                                                                                                                                                                                                    • HCA enabled
                                                                                                                                                                                                                    • EGA enabled
                                                                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                                                                    Sample name:kYpONUhAR5.exe
                                                                                                                                                                                                                    renamed because original name is a hash value
                                                                                                                                                                                                                    Original Sample Name:58e8b2eb19704c5a59350d4ff92e5ab6.exe
                                                                                                                                                                                                                    Detection:MAL
                                                                                                                                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@1/5@0/1
                                                                                                                                                                                                                    EGA Information:
                                                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                                                    HCA Information:
                                                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                                                    • Number of executed functions: 81
                                                                                                                                                                                                                    • Number of non-executed functions: 3
                                                                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                                                                                                                    Warnings

                                                                                                                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                    • VT rate limit hit for: kYpONUhAR5.exe

                                                                                                                                                                                                                    Simulations

                                                                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                                                                    11:22:19API Interceptor57x Sleep call for process: kYpONUhAR5.exe modified

                                                                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                                                                    IPs

                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                    185.215.113.67oMHveSc3hh.exeGet hashmaliciousAmadey RaccoonBrowse
                                                                                                                                                                                                                    • 185.215.113.67/4dcYcWsw3/index.php
                                                                                                                                                                                                                    0KuDEDABFO.exeGet hashmaliciousAmadey RaccoonBrowse
                                                                                                                                                                                                                    • 185.215.113.67/4dcYcWsw3/index.php
                                                                                                                                                                                                                    miOnrvnXK0.exeGet hashmaliciousAmadey RaccoonBrowse
                                                                                                                                                                                                                    • 185.215.113.67/4dcYcWsw3/index.php
                                                                                                                                                                                                                    Rh74sODsWE.exeGet hashmaliciousAmadey RaccoonBrowse
                                                                                                                                                                                                                    • 185.215.113.67/4dcYcWsw3/index.php
                                                                                                                                                                                                                    dSQUdo6EjO.exeGet hashmaliciousAmadey RaccoonBrowse
                                                                                                                                                                                                                    • 185.215.113.67/4dcYcWsw3/index.php
                                                                                                                                                                                                                    usVhwck8lN.exeGet hashmaliciousAmadey RaccoonBrowse
                                                                                                                                                                                                                    • 185.215.113.67/4dcYcWsw3/index.php
                                                                                                                                                                                                                    SecuriteInfo.com.W32.AIDetect.malware1.20102.exeGet hashmaliciousAmadeyBrowse
                                                                                                                                                                                                                    • 185.215.113.67/4dcYcWsw3/index.php
                                                                                                                                                                                                                    MR98F1zzeo.exeGet hashmaliciousAmadey Raccoon VidarBrowse
                                                                                                                                                                                                                    • 185.215.113.67/4dcYcWsw3/index.php
                                                                                                                                                                                                                    8f5718a6042061b23a4e42ee5cd8112946c135dc9d0c2.exeGet hashmaliciousAmadeyBrowse
                                                                                                                                                                                                                    • 185.215.113.67/4dcYcWsw3/index.php
                                                                                                                                                                                                                    fC4T1vVs24.exeGet hashmaliciousAmadeyBrowse
                                                                                                                                                                                                                    • umbrelladownload.uno/gp6GbqVce/index.php

                                                                                                                                                                                                                    Domains

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                    WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                                                                                                                                                                                                                    • 185.215.113.103
                                                                                                                                                                                                                    file.exeGet hashmaliciousStealcBrowse
                                                                                                                                                                                                                    • 185.215.113.37
                                                                                                                                                                                                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                    • 185.215.113.37
                                                                                                                                                                                                                    file.exeGet hashmaliciousStealcBrowse
                                                                                                                                                                                                                    • 185.215.113.37
                                                                                                                                                                                                                    file.exeGet hashmaliciousAmadeyBrowse
                                                                                                                                                                                                                    • 185.215.113.16
                                                                                                                                                                                                                    file.exeGet hashmaliciousStealcBrowse
                                                                                                                                                                                                                    • 185.215.113.37
                                                                                                                                                                                                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                    • 185.215.113.37
                                                                                                                                                                                                                    file.exeGet hashmaliciousAmadeyBrowse
                                                                                                                                                                                                                    • 185.215.113.16
                                                                                                                                                                                                                    file.exeGet hashmaliciousAmadeyBrowse
                                                                                                                                                                                                                    • 185.215.113.16
                                                                                                                                                                                                                    file.exeGet hashmaliciousStealcBrowse
                                                                                                                                                                                                                    • 185.215.113.37

                                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                                    C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\kYpONUhAR5.exe
                                                                                                                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 05:47:19 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):2104
                                                                                                                                                                                                                    Entropy (8bit):3.468213012568913
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:48:8SMd5TvG90lRYrnvPdAKRkdAGdAKRFdAKR6P:8S2by7
                                                                                                                                                                                                                    MD5:90F15C97129CA5CE8C9D7DA19D0825DF
                                                                                                                                                                                                                    SHA1:0EE0A6B08DAB24ADEA377B9545A2269F2249CD8C
                                                                                                                                                                                                                    SHA-256:2F62E45ECEE3517765881625966C8A2E3F147BCBEBD59516EA4A86922B1CCBD5
                                                                                                                                                                                                                    SHA-512:8D0EEB09978E4959B9276FEA728C4CDF8463964C7B538D37A6DED5DC3C9D5154A8C8816D9524D510C5F3BF23E7B43F6511D73952C3ABB0993088D051EBFA89C6
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                    Preview:L..................F.@.. ......,....R.k.W....X.&&... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....EW.3..PROGRA~1..t......O.IEW.5....B...............J.......j.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VEW@2....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.2..Chrome..>......CW.VEW.2....M.....................7...C.h.r.o.m.e.....`.1.....EW.2..APPLIC~1..H......CW.VEW.2..........................7...A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.L .chrome.exe..F......CW.VEW.5.........................l...c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kYpONUhAR5.exe.log

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\kYpONUhAR5.exe
                                                                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):3274
                                                                                                                                                                                                                    Entropy (8bit):5.3318368586986695
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
                                                                                                                                                                                                                    MD5:0B2E58EF6402AD69025B36C36D16B67F
                                                                                                                                                                                                                    SHA1:5ECC642327EF5E6A54B7918A4BD7B46A512BF926
                                                                                                                                                                                                                    SHA-256:4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
                                                                                                                                                                                                                    SHA-512:1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\Tmp382E.tmp

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\kYpONUhAR5.exe
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):2662
                                                                                                                                                                                                                    Entropy (8bit):7.8230547059446645
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                                                                                                    MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                                                                                                    SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                                                                                                    SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                                                                                                    SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                                                                                    Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\Tmp383F.tmp

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\kYpONUhAR5.exe
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):2662
                                                                                                                                                                                                                    Entropy (8bit):7.8230547059446645
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                                                                                                    MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                                                                                                    SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                                                                                                    SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                                                                                                    SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                                                                                    Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\kYpONUhAR5.exe
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):2251
                                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3::
                                                                                                                                                                                                                    MD5:0158FE9CEAD91D1B027B795984737614
                                                                                                                                                                                                                    SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                                                                                                                                                                                                                    SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                                                                                                                                                                                                                    SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                    Entropy (8bit):5.082545442352462
                                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                    File name:kYpONUhAR5.exe
                                                                                                                                                                                                                    File size:311'296 bytes
                                                                                                                                                                                                                    MD5:58e8b2eb19704c5a59350d4ff92e5ab6
                                                                                                                                                                                                                    SHA1:171fc96dda05e7d275ec42840746258217d9caf0
                                                                                                                                                                                                                    SHA256:07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834
                                                                                                                                                                                                                    SHA512:e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f
                                                                                                                                                                                                                    SSDEEP:3072:Eq6EgY6iArUjOvWUJwPYT8QADFKoRJTA+tJSiK1cZqf7D34leqiOLibBOT:vqY6iULwP/xnRJTAKJ81cZqf7DIvL
                                                                                                                                                                                                                    TLSH:14646D1823EC9511E37F4B7998B1E6749375EC16A852D31F4EC06CAB3E32741FA11AB2
                                                                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. ....................... ............@................................

                                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                                    Icon Hash:4d8ea38d85a38e6d

                                                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Entrypoint:0x42b9d6
                                                                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                    Time Stamp:0xEAE6B680 [Fri Nov 19 07:02:24 2094 UTC]
                                                                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                                                    OS Version Major:4
                                                                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                                                                    File Version Major:4
                                                                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                                                                    Subsystem Version Major:4
                                                                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                                                                    Instruction
                                                                                                                                                                                                                    jmp dword ptr [00402000h]
                                                                                                                                                                                                                    popad
                                                                                                                                                                                                                    add byte ptr [ebp+00h], dh
                                                                                                                                                                                                                    je 00007F7FB0B2D4A2h
                                                                                                                                                                                                                    outsd
                                                                                                                                                                                                                    add byte ptr [esi+00h], ah
                                                                                                                                                                                                                    imul eax, dword ptr [eax], 006C006Ch
                                                                                                                                                                                                                    xor eax, 59007400h
                                                                                                                                                                                                                    add byte ptr [edi+00h], dl
                                                                                                                                                                                                                    push edx
                                                                                                                                                                                                                    add byte ptr [ecx+00h], dh
                                                                                                                                                                                                                    popad
                                                                                                                                                                                                                    add byte ptr [edi+00h], dl
                                                                                                                                                                                                                    push esi
                                                                                                                                                                                                                    add byte ptr [edi+00h], ch
                                                                                                                                                                                                                    popad
                                                                                                                                                                                                                    add byte ptr [ebp+00h], ch
                                                                                                                                                                                                                    push 61006800h
                                                                                                                                                                                                                    add byte ptr [ebp+00h], ch
                                                                                                                                                                                                                    dec edx
                                                                                                                                                                                                                    add byte ptr [eax], bh
                                                                                                                                                                                                                    add byte ptr [edi+00h], dl
                                                                                                                                                                                                                    push edi
                                                                                                                                                                                                                    add byte ptr [ecx], bh
                                                                                                                                                                                                                    add byte ptr [ecx+00h], bh
                                                                                                                                                                                                                    bound eax, dword ptr [eax]
                                                                                                                                                                                                                    xor al, byte ptr [eax]
                                                                                                                                                                                                                    insb
                                                                                                                                                                                                                    add byte ptr [eax+00h], bl
                                                                                                                                                                                                                    pop ecx
                                                                                                                                                                                                                    add byte ptr [edi+00h], dl
                                                                                                                                                                                                                    js 00007F7FB0B2D4A2h
                                                                                                                                                                                                                    jnc 00007F7FB0B2D4A2h
                                                                                                                                                                                                                    pop edx
                                                                                                                                                                                                                    add byte ptr [eax+00h], bl
                                                                                                                                                                                                                    push ecx
                                                                                                                                                                                                                    add byte ptr [ebx+00h], cl
                                                                                                                                                                                                                    popad
                                                                                                                                                                                                                    add byte ptr [edi+00h], dl
                                                                                                                                                                                                                    dec edx
                                                                                                                                                                                                                    add byte ptr [ebp+00h], dh
                                                                                                                                                                                                                    pop edx
                                                                                                                                                                                                                    add byte ptr [edi+00h], dl
                                                                                                                                                                                                                    jo 00007F7FB0B2D4A2h
                                                                                                                                                                                                                    imul eax, dword ptr [eax], 5Ah
                                                                                                                                                                                                                    add byte ptr [ebp+00h], ch
                                                                                                                                                                                                                    jo 00007F7FB0B2D4A2h
                                                                                                                                                                                                                    je 00007F7FB0B2D4A2h
                                                                                                                                                                                                                    bound eax, dword ptr [eax]
                                                                                                                                                                                                                    push edi
                                                                                                                                                                                                                    add byte ptr [eax+eax+77h], dh
                                                                                                                                                                                                                    add byte ptr [ecx+00h], bl
                                                                                                                                                                                                                    xor al, byte ptr [eax]
                                                                                                                                                                                                                    xor eax, 63007300h
                                                                                                                                                                                                                    add byte ptr [edi+00h], al
                                                                                                                                                                                                                    push esi
                                                                                                                                                                                                                    add byte ptr [ecx+00h], ch
                                                                                                                                                                                                                    popad
                                                                                                                                                                                                                    add byte ptr [edx], dh
                                                                                                                                                                                                                    add byte ptr [eax+00h], bh
                                                                                                                                                                                                                    je 00007F7FB0B2D4A2h
                                                                                                                                                                                                                    bound eax, dword ptr [eax]
                                                                                                                                                                                                                    insd
                                                                                                                                                                                                                    add byte ptr [eax+eax+76h], dh
                                                                                                                                                                                                                    add byte ptr [edx+00h], bl
                                                                                                                                                                                                                    push edi
                                                                                                                                                                                                                    add byte ptr [ecx], bh
                                                                                                                                                                                                                    add byte ptr [eax+00h], dh
                                                                                                                                                                                                                    popad
                                                                                                                                                                                                                    add byte ptr [edi+00h], al
                                                                                                                                                                                                                    cmp dword ptr [eax], eax
                                                                                                                                                                                                                    insd
                                                                                                                                                                                                                    add byte ptr [edx+00h], bl
                                                                                                                                                                                                                    push edi
                                                                                                                                                                                                                    add byte ptr [esi+00h], cl
                                                                                                                                                                                                                    cmp byte ptr [eax], al
                                                                                                                                                                                                                    push esi
                                                                                                                                                                                                                    add byte ptr [eax+00h], cl
                                                                                                                                                                                                                    dec edx
                                                                                                                                                                                                                    add byte ptr [esi+00h], dh
                                                                                                                                                                                                                    bound eax, dword ptr [eax]
                                                                                                                                                                                                                    insd
                                                                                                                                                                                                                    add byte ptr [eax+00h], bh
                                                                                                                                                                                                                    jo 00007F7FB0B2D4A2h
                                                                                                                                                                                                                    bound eax, dword ptr [eax]
                                                                                                                                                                                                                    insd
                                                                                                                                                                                                                    add byte ptr [ebx+00h], dh

                                                                                                                                                                                                                    Data Directories

                                                                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x2b9840x4f.text
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x320000x1c9c4.rsrc
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x500000xc.reloc
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x2b9680x1c.text
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                    Sections

                                                                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                    .text0x20000x2e9bc0x2ec002412a20105aa703440ecc0ae6d36587cFalse0.46979967413101603COM executable for DOS6.205690802522852IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                    .rsrc0x320000x1c9c40x1cc00d90c4c9df4f9c47bd32c68a9274242f2False0.23721127717391305data2.6058927068025572IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                    .reloc0x500000xc0x400a8f475633df7505c506f361251753bd4False0.025390625data0.05585530805374581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                    Resources

                                                                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                    RT_ICON0x321a00x3d04PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9934058898847631
                                                                                                                                                                                                                    RT_ICON0x35eb40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.09013072282030049
                                                                                                                                                                                                                    RT_ICON0x466ec0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.13905290505432216
                                                                                                                                                                                                                    RT_ICON0x4a9240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.17033195020746889
                                                                                                                                                                                                                    RT_ICON0x4cedc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.2045028142589118
                                                                                                                                                                                                                    RT_ICON0x4df940x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.24645390070921985
                                                                                                                                                                                                                    RT_GROUP_ICON0x4e40c0x5adata0.7666666666666667
                                                                                                                                                                                                                    RT_VERSION0x4e4780x34adata0.44061757719714967
                                                                                                                                                                                                                    RT_MANIFEST0x4e7d40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                                    Imports

                                                                                                                                                                                                                    DLLImport
                                                                                                                                                                                                                    mscoree.dll_CorExeMain

                                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                                    Suricata IDS Alerts

                                                                                                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                    2024-09-27T17:22:10.765544+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:10.765544+02002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:10.992909+02002043234ET MALWARE Redline Stealer TCP CnC - Id1Response1185.215.113.6715206192.168.2.649710TCP
                                                                                                                                                                                                                    2024-09-27T17:22:16.045665+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:16.363786+02002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1185.215.113.6715206192.168.2.649710TCP
                                                                                                                                                                                                                    2024-09-27T17:22:17.464550+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:17.712642+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:18.015035+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:18.279185+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:18.507423+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:20.639665+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:21.236540+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:21.469573+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:21.703432+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:22.134212+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:22.402884+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:22.728365+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:22.960033+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:23.210740+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:23.558591+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:23.564561+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:24.791517+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:25.161436+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:25.420755+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:25.678762+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:25.923591+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP
                                                                                                                                                                                                                    2024-09-27T17:22:26.203907+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649710185.215.113.6715206TCP

                                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                    Sep 27, 2024 17:22:09.653358936 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:09.658332109 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:09.658407927 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:09.673302889 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:09.678118944 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:10.374437094 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:10.415029049 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:10.765543938 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:10.771645069 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:10.992908955 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:11.040067911 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:16.045665026 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:16.050609112 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:16.275441885 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:16.275465965 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:16.275479078 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:16.275491953 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:16.275506973 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:16.275572062 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:16.275619984 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:16.363785982 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:16.363984108 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:16.364166021 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:16.452626944 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:16.493215084 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:17.464550018 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:17.470041990 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:17.692811012 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:17.712641954 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:17.717555046 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:17.942931890 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:17.993227005 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:18.015034914 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:18.019968987 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:18.243762970 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:18.279185057 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:18.284122944 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:18.506437063 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:18.507422924 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:18.512886047 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:18.734891891 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:18.780147076 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:20.639664888 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:20.887236118 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:21.109503031 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:21.165080070 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:21.236540079 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:21.241411924 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:21.464098930 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:21.469573021 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:21.474709988 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:21.697844982 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:21.703432083 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:21.708435059 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:21.708560944 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:21.708595991 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:21.708697081 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:21.708724976 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:21.708751917 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:22.129966021 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:22.134212017 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:22.141948938 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:22.363979101 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:22.402884007 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:22.408107996 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:22.654216051 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:22.696337938 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:22.728364944 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:22.733494997 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:22.957946062 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:22.960032940 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:22.966412067 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.207706928 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.210740089 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.237148046 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.465574980 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.508840084 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.558590889 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.564136028 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.564203978 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.564481020 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.564510107 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.564537048 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.564560890 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.564567089 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.564593077 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.564615011 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.564661026 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.564773083 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.564865112 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.564963102 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.564992905 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.565045118 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.565046072 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.565071106 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.565098047 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.565124035 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.565149069 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.565184116 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.566998959 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.567027092 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.567054033 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.567090034 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.567147017 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.569207907 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.569263935 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.569585085 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.569650888 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.569771051 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.569834948 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.569926977 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.569953918 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.569978952 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.569982052 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.570003033 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.570034027 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.570135117 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.570195913 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.570379972 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.570437908 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.570822001 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.570893049 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.571316004 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.571372032 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.572793961 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.572845936 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.574562073 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.574589968 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.574613094 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.574615955 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.574636936 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.574651003 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.574667931 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.574676991 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.574692011 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.574703932 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.574744940 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.574794054 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.574820995 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.574847937 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.574876070 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.574906111 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.574909925 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.574928999 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.574949026 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.574954033 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575002909 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575443029 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575470924 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575498104 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575508118 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575524092 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575547934 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575558901 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575572014 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575598955 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575614929 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575624943 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575640917 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575650930 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575666904 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575676918 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575692892 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575702906 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575725079 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575728893 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575746059 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575756073 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575772047 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575781107 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575797081 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575826883 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575828075 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575856924 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575872898 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575885057 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575901031 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575911045 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575927973 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575937986 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575959921 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575963974 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.575990915 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.576016903 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.576044083 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.576070070 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.576097012 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.576122999 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.576153994 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.576179981 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.576206923 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.576436996 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.576463938 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.576491117 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.576536894 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.576564074 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.576590061 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.576617002 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.576643944 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.576673985 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.577930927 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.577959061 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.577985048 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.578754902 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.580054045 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.580081940 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.580107927 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.580275059 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.580302000 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.580328941 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.580374002 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.580400944 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.580427885 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.580459118 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.580495119 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.580562115 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.580585003 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.580796957 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.580826044 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.580889940 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.580920935 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.581377029 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.581404924 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.581433058 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.581460953 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.581487894 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.581513882 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.581557035 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.581583977 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.581610918 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.581638098 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.581665039 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.582820892 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.582957029 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.582984924 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.583108902 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.583136082 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.583163023 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.583189011 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.583215952 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.583241940 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.583271027 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.583297968 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.583517075 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.583544016 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.583570957 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584075928 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584103107 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584130049 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584157944 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584203959 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584229946 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584256887 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584283113 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584310055 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584336042 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584382057 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584408045 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584435940 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584462881 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584489107 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584515095 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584541082 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584568024 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584594011 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584620953 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584650993 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584840059 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.584909916 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.587976933 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.588079929 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.588108063 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.588463068 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.588490963 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.588517904 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.588545084 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.588572025 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.588618994 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.588650942 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.588676929 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.588702917 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.588730097 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.588754892 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589109898 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589137077 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589163065 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589303017 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589330912 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589359045 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589385986 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589411974 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589438915 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589464903 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589492083 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589518070 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589544058 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589570999 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589596987 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589622974 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589648962 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589675903 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589701891 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589728117 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589776039 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589854956 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589884043 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589911938 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589939117 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589966059 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.589992046 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.590018034 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.590044022 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.590070009 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.590118885 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.590146065 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.590172052 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.590198040 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.590224028 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.590590954 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.590619087 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.590946913 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.590974092 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.591372967 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.591622114 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.591691017 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.591944933 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.592211008 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.592258930 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.592284918 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.592312098 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.592474937 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.592597961 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.592626095 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.592652082 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.592679024 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.592705011 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.592730999 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.592756987 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.592782974 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.592808962 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.592834949 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.592864037 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.592916012 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.592943907 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.592971087 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.592997074 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593024015 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593050003 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593076944 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593102932 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593128920 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593154907 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593180895 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593206882 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593234062 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593260050 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593286991 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593312979 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593338966 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593364954 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593389988 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593416929 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593442917 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593468904 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593494892 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593527079 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593553066 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593580008 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593605042 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593631029 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593657970 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593683004 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593709946 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593735933 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593761921 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593787909 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593813896 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593839884 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.593888998 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.594248056 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.594317913 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.597161055 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.597189903 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.597404003 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.597497940 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.597860098 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.597887993 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.597915888 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.597942114 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.597969055 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598014116 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598041058 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598068953 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598094940 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598120928 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598148108 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598175049 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598200083 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598232031 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598258018 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598423004 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598450899 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598476887 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598504066 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598531008 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598637104 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598664045 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598690033 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598737001 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598763943 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598789930 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598819017 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598845005 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598871946 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598897934 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598923922 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598949909 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.598975897 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.599001884 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.599412918 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.599441051 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.599467039 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.599493027 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.599519968 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.599546909 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.599572897 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.599600077 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.599626064 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.599653006 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.599678993 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.599705935 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.600805998 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.600833893 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.600860119 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.600908995 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.600935936 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.600964069 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.600991964 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601016998 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601043940 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601070881 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601098061 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601124048 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601150990 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601176977 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601202965 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601222992 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601227999 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601259947 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601286888 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601313114 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601337910 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601342916 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601371050 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601419926 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601449013 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601478100 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601490021 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601516008 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601541996 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601568937 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601596117 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601623058 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601650953 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601675987 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601702929 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601731062 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601758003 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601783991 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601809025 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601836920 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601887941 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601914883 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601942062 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601969004 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.601994991 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.602020979 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.602051020 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.602077961 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.602103949 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.602130890 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.602158070 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.602185011 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.602210999 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.602236986 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.602262974 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.602288961 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.602319002 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.602345943 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.608532906 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.608561993 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.608588934 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.608728886 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.608756065 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.608782053 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.608788967 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.608808041 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.608839989 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.608865976 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.608894110 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.608896971 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.608921051 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.608947039 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609069109 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609097004 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609122992 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609163046 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609189987 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609216928 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609242916 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609268904 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609294891 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609321117 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609348059 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609374046 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609400034 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609425068 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609451056 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609477043 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609503984 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609533072 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609580040 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609606981 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609633923 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609659910 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609688997 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609735966 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609761953 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609788895 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609816074 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609843016 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609920025 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609947920 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.609975100 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.610002995 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.610028028 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.610054970 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.610081911 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.610109091 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.610135078 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.610161066 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.610188007 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.610218048 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.610244036 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.614428997 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.614727020 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.618077993 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.618210077 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.660504103 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.660741091 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:23.690681934 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:24.723870039 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:24.774463892 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:24.791517019 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:24.796574116 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:24.796704054 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:24.796895027 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:24.796979904 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:24.797007084 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:24.797034025 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:24.797060966 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:24.797086954 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:24.797112942 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:24.797138929 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:24.797164917 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:24.797420025 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:24.797447920 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:25.159065008 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:25.161436081 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:25.167510033 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:25.395262957 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:25.420754910 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:25.451363087 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:25.674411058 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:25.678761959 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:25.683995008 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:25.922630072 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:25.923590899 CEST4971015206192.168.2.6185.215.113.67
                                                                                                                                                                                                                    Sep 27, 2024 17:22:25.928935051 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:26.168049097 CEST1520649710185.215.113.67192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 17:22:26.203907013 CEST4971015206192.168.2.6185.215.113.67

                                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                                    CPU Usage

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    Memory Usage

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:0
                                                                                                                                                                                                                    Start time:11:22:07
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Users\user\Desktop\kYpONUhAR5.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\kYpONUhAR5.exe"
                                                                                                                                                                                                                    Imagebase:0xe30000
                                                                                                                                                                                                                    File size:311'296 bytes
                                                                                                                                                                                                                    MD5 hash:58E8B2EB19704C5A59350D4FF92E5AB6
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.2140548501.0000000000E32000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2320321106.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                                    Reset < >

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:7.3%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                                                                      Total number of Nodes:72
                                                                                                                                                                                                                      Total number of Limit Nodes:6
                                                                                                                                                                                                                      execution_graph 28084 17dd0b8 28085 17dd0fe GetCurrentProcess 28084->28085 28087 17dd149 28085->28087 28088 17dd150 GetCurrentThread 28085->28088 28087->28088 28089 17dd18d GetCurrentProcess 28088->28089 28090 17dd186 28088->28090 28091 17dd1c3 28089->28091 28090->28089 28092 17dd1eb GetCurrentThreadId 28091->28092 28093 17dd21c 28092->28093 28094 17d4668 28095 17d4684 28094->28095 28096 17d4696 28095->28096 28100 17d47a0 28095->28100 28105 17d3e10 28096->28105 28101 17d47c5 28100->28101 28109 17d48a1 28101->28109 28113 17d48b0 28101->28113 28106 17d3e1b 28105->28106 28121 17d5c54 28106->28121 28108 17d46b5 28111 17d48b0 28109->28111 28110 17d49b4 28110->28110 28111->28110 28117 17d4248 28111->28117 28115 17d48d7 28113->28115 28114 17d49b4 28114->28114 28115->28114 28116 17d4248 CreateActCtxA 28115->28116 28116->28114 28118 17d5940 CreateActCtxA 28117->28118 28120 17d5a03 28118->28120 28122 17d5c5f 28121->28122 28125 17d5c64 28122->28125 28124 17d709d 28124->28108 28126 17d5c6f 28125->28126 28129 17d5c94 28126->28129 28128 17d717a 28128->28124 28130 17d5c9f 28129->28130 28133 17d5cc4 28130->28133 28132 17d726d 28132->28128 28134 17d5ccf 28133->28134 28136 17d8653 28134->28136 28139 17dad01 28134->28139 28135 17d8691 28135->28132 28136->28135 28143 17dcde0 28136->28143 28148 17dad38 28139->28148 28151 17dad28 28139->28151 28140 17dad16 28140->28136 28144 17dce11 28143->28144 28145 17dce35 28144->28145 28160 17dcfa0 28144->28160 28164 17dcf90 28144->28164 28145->28135 28155 17dae30 28148->28155 28149 17dad47 28149->28140 28152 17dad38 28151->28152 28154 17dae30 GetModuleHandleW 28152->28154 28153 17dad47 28153->28140 28154->28153 28156 17dae64 28155->28156 28157 17dae41 28155->28157 28156->28149 28157->28156 28158 17db068 GetModuleHandleW 28157->28158 28159 17db095 28158->28159 28159->28149 28162 17dcfad 28160->28162 28161 17dcfe7 28161->28145 28162->28161 28168 17dc8d8 28162->28168 28165 17dcfa0 28164->28165 28166 17dcfe7 28165->28166 28167 17dc8d8 GetModuleHandleW 28165->28167 28166->28145 28167->28166 28169 17dc8e3 28168->28169 28171 17dd8f8 28169->28171 28172 17dca04 28169->28172 28171->28171 28173 17dca0f 28172->28173 28174 17d5cc4 GetModuleHandleW 28173->28174 28175 17dd967 28174->28175 28175->28171 28176 17dd300 DuplicateHandle 28177 17dd396 28176->28177

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 06A767D8 Relevance: .4, Instructions: 417COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f31c159a7727f4049d422c2dadfea36ca48a75693f2a3e64d17a688c298a9931
                                                                                                                                                                                                                      • Instruction ID: a6afd33617673a37713cd11421f347ee3693303cb2e6781b727d6fed7f23b639
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f31c159a7727f4049d422c2dadfea36ca48a75693f2a3e64d17a688c298a9931
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5AF1AF30A0060A9FDB55DFA8DD40B9EBBF2EF84300F149569E545AF2A1DB70ED46CB90
                                                                                                                                                                                                                      Function 06A7A3D8 Relevance: .3, Instructions: 295COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 71da7217371c148f35902ca86630b1bef0b109cc972cd1393d50ec94e0d767d5
                                                                                                                                                                                                                      • Instruction ID: 567ee54c69f09912874798188d4afcad8a9ef0da76379af3f9a38131cf4b04ad
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 71da7217371c148f35902ca86630b1bef0b109cc972cd1393d50ec94e0d767d5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B9D1C134E01218CFDB18EFB4D854AADBBB2FF8A301F1085A9D51AAB354DB315986CF11
                                                                                                                                                                                                                      Function 06A7A3E8 Relevance: .3, Instructions: 289COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 03c1ad8f0034de4db1e188755f7f01a89fea8ed6981305614fa40ae2e3487250
                                                                                                                                                                                                                      • Instruction ID: 464ccae1cfa5fc5c4debca305a55501d03a5967aa6d2a8fb093d007df986bfd2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 03c1ad8f0034de4db1e188755f7f01a89fea8ed6981305614fa40ae2e3487250
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 19D1C234E01218CFDB18EFB5D854A9DBBB2FF8A301F1081A9D51AAB394DB315986CF11
                                                                                                                                                                                                                      Function 017DD0A8 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 017DD136
                                                                                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 017DD173
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 017DD1B0
                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 017DD209
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2320063609.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_17d0000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                                                                                                      • Opcode ID: a89b3b18d0e640732c6f6dca3e0208f3630740fa0f04fd193c9698fd1efb112c
                                                                                                                                                                                                                      • Instruction ID: 0fe2512aa073c808e53b6d4b61b69ebbb936064063b42b2382b013ee06b69cf0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a89b3b18d0e640732c6f6dca3e0208f3630740fa0f04fd193c9698fd1efb112c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 955152B090024ACFDB14CFA9D948B9EBFF1EF88314F208459E509A73A0DB75A944CF65
                                                                                                                                                                                                                      Function 017DD0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 017DD136
                                                                                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 017DD173
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 017DD1B0
                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 017DD209
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2320063609.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_17d0000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                                                                                                      • Opcode ID: 91e53a34d8277f29b676a0556c94a5413f23f3c69d51b776ebc28156d840cd5b
                                                                                                                                                                                                                      • Instruction ID: b4b895e0daabb0c94f4d9602061178b5db704801dda873ccf4dae2af13dfb568
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 91e53a34d8277f29b676a0556c94a5413f23f3c69d51b776ebc28156d840cd5b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D45155B090024A8FDB14CFA9D948B9EBFF1FF88314F208419E509A7390DB75A944CF65
                                                                                                                                                                                                                      Function 017DAE30 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 44 17dae30-17dae3f 45 17dae6b-17dae6f 44->45 46 17dae41-17dae4e call 17d9838 44->46 47 17dae71-17dae7b 45->47 48 17dae83-17daec4 45->48 53 17dae64 46->53 54 17dae50 46->54 47->48 55 17daec6-17daece 48->55 56 17daed1-17daedf 48->56 53->45 101 17dae56 call 17db0c8 54->101 102 17dae56 call 17db0b8 54->102 55->56 57 17daee1-17daee6 56->57 58 17daf03-17daf05 56->58 61 17daee8-17daeef call 17da814 57->61 62 17daef1 57->62 60 17daf08-17daf0f 58->60 59 17dae5c-17dae5e 59->53 63 17dafa0-17dafb7 59->63 64 17daf1c-17daf23 60->64 65 17daf11-17daf19 60->65 67 17daef3-17daf01 61->67 62->67 77 17dafb9-17db018 63->77 68 17daf25-17daf2d 64->68 69 17daf30-17daf39 call 17da824 64->69 65->64 67->60 68->69 75 17daf3b-17daf43 69->75 76 17daf46-17daf4b 69->76 75->76 78 17daf4d-17daf54 76->78 79 17daf69-17daf76 76->79 95 17db01a-17db060 77->95 78->79 80 17daf56-17daf66 call 17da834 call 17da844 78->80 84 17daf99-17daf9f 79->84 85 17daf78-17daf96 79->85 80->79 85->84 96 17db068-17db093 GetModuleHandleW 95->96 97 17db062-17db065 95->97 98 17db09c-17db0b0 96->98 99 17db095-17db09b 96->99 97->96 99->98 101->59 102->59
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 017DB086
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2320063609.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_17d0000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                                                                      • Opcode ID: f0d047f8dd8137d00a53252387ce78a9184558edc2ea5781afdde1ba5cdfb384
                                                                                                                                                                                                                      • Instruction ID: b9cd111f84b0ff1750366c5c216f00c7f1792e4c7f8506797ec6a1398ec6ddae
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f0d047f8dd8137d00a53252387ce78a9184558edc2ea5781afdde1ba5cdfb384
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2C7123B0A00B0A8FEB24DF6AD54575AFBF1FF88200F04896DD54AD7A90DB74E845CB91
                                                                                                                                                                                                                      Function 017D4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 103 17d4248-17d5a01 CreateActCtxA 106 17d5a0a-17d5a64 103->106 107 17d5a03-17d5a09 103->107 114 17d5a66-17d5a69 106->114 115 17d5a73-17d5a77 106->115 107->106 114->115 116 17d5a79-17d5a85 115->116 117 17d5a88 115->117 116->117 119 17d5a89 117->119 119->119
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 017D59F1
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2320063609.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_17d0000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Create
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                                                                      • Opcode ID: 7e8352bc816aa387b831a8879c21ec96106cc7ededeb964039f2e539e8732354
                                                                                                                                                                                                                      • Instruction ID: bcb7c2e5b908cf2f067078f417d8a4429c6bf94f849adefbd75c926996cf3e70
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7e8352bc816aa387b831a8879c21ec96106cc7ededeb964039f2e539e8732354
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3941EFB1C0072DCBEB24CFA9C984B8DBBB5FF89304F20816AD408AB251DB756945CF91
                                                                                                                                                                                                                      Function 017D5935 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 120 17d5935-17d5936 121 17d5940-17d5a01 CreateActCtxA 120->121 123 17d5a0a-17d5a64 121->123 124 17d5a03-17d5a09 121->124 131 17d5a66-17d5a69 123->131 132 17d5a73-17d5a77 123->132 124->123 131->132 133 17d5a79-17d5a85 132->133 134 17d5a88 132->134 133->134 136 17d5a89 134->136 136->136
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 017D59F1
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2320063609.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_17d0000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Create
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                                                                      • Opcode ID: 67f09e45e19e3e427ade0ab69503bb4bb2f4e887d909c92789e722d0d052652c
                                                                                                                                                                                                                      • Instruction ID: 1e8266968184e6bb70f8dff9150bd7379bce7758768d61e8b52e7d26d7508b1b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 67f09e45e19e3e427ade0ab69503bb4bb2f4e887d909c92789e722d0d052652c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F541EFB0C0072DCBEB24CFA9C984B8DBBF5BF89304F20815AD508AB251DB756945CF91
                                                                                                                                                                                                                      Function 06A759C8 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 137 6a759c8-6a759c9 138 6a75966-6a759c7 call 6a75098 137->138 139 6a759cb-6a759f3 137->139 140 6a759f5-6a759f7 139->140 141 6a759ff-6a75a0e 139->141 140->141 142 6a75a10 141->142 143 6a75a1a-6a75a2a 141->143 142->143 146 6a75a2d-6a75a4f 143->146 148 6a75a55-6a75a5b 146->148 149 6a75c88-6a75ccf 146->149 150 6a75b34-6a75b38 148->150 151 6a75a61-6a75a67 148->151 183 6a75ce5-6a75cf1 149->183 184 6a75cd1 149->184 155 6a75b5b-6a75b64 150->155 156 6a75b3a-6a75b43 150->156 151->149 154 6a75a6d-6a75a7a 151->154 158 6a75b13-6a75b1c 154->158 159 6a75a80-6a75a89 154->159 161 6a75b66-6a75b86 155->161 162 6a75b89-6a75b8c 155->162 156->149 160 6a75b49-6a75b59 156->160 158->149 165 6a75b22-6a75b2e 158->165 159->149 167 6a75a8f-6a75ab0 159->167 164 6a75b8f-6a75b95 160->164 161->162 162->164 164->149 168 6a75b9b-6a75bae 164->168 165->150 165->151 169 6a75ab2 167->169 170 6a75abc-6a75ad7 167->170 168->149 173 6a75bb4-6a75bc4 168->173 169->170 170->158 180 6a75ad9-6a75adf 170->180 173->149 176 6a75bca-6a75bd7 173->176 176->149 179 6a75bdd-6a75c02 176->179 179->149 194 6a75c08-6a75c20 179->194 181 6a75ae1 180->181 182 6a75aeb-6a75af1 180->182 181->182 182->149 185 6a75af7-6a75b10 182->185 188 6a75cf3 183->188 189 6a75cfd-6a75d19 183->189 186 6a75cd4-6a75ce3 184->186 186->183 188->189 194->149 197 6a75c22-6a75c2d 194->197 198 6a75c2f-6a75c39 197->198 199 6a75c7e-6a75c85 197->199 198->199 201 6a75c3b-6a75c51 198->201 203 6a75c53 201->203 204 6a75c5d-6a75c76 201->204 203->204 204->199
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: d
                                                                                                                                                                                                                      • API String ID: 0-2564639436
                                                                                                                                                                                                                      • Opcode ID: 95de1d6f1eb56b67ef9b6b4043919dd017aefb2fdcce62cb84af1f04b3a26b46
                                                                                                                                                                                                                      • Instruction ID: 16c8f0e13f67d4c6e3d437da3b7ad1ddc77f697d2c932016a38841d042548af9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 95de1d6f1eb56b67ef9b6b4043919dd017aefb2fdcce62cb84af1f04b3a26b46
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 86D15934B00602CFCB54DF69C98096ABBF2FF89310725CA59D55A9B662DB30FD46CB90
                                                                                                                                                                                                                      Function 017DD300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 212 17dd300-17dd394 DuplicateHandle 213 17dd39d-17dd3ba 212->213 214 17dd396-17dd39c 212->214 214->213
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017DD387
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2320063609.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_17d0000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                                                                                                      • Opcode ID: 3e66b214cb5339764406cbbe78db7342df8880bf6332a1529877695f280076d4
                                                                                                                                                                                                                      • Instruction ID: e6ee3fcee35b8bf5e3762afe9fc08bb73cb27048a3eafa4265d7b16b315c7302
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3e66b214cb5339764406cbbe78db7342df8880bf6332a1529877695f280076d4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B821B3B5900249DFDB10CF9AD984ADEFFF5EB48320F14841AE918A3350D774A954CFA5
                                                                                                                                                                                                                      Function 017DD2F9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 207 17dd2f9-17dd394 DuplicateHandle 208 17dd39d-17dd3ba 207->208 209 17dd396-17dd39c 207->209 209->208
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017DD387
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2320063609.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_17d0000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                                                                                                      • Opcode ID: 33a79f5d2150c21fb6b53dc02f6f3e507567d51b565c532451e42cbb1bfb16c6
                                                                                                                                                                                                                      • Instruction ID: cea140a4f92ac7ed6d2fc1e10e0dece29e3301ea94c3bc2d05f622526cc16073
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 33a79f5d2150c21fb6b53dc02f6f3e507567d51b565c532451e42cbb1bfb16c6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8721E0B5900209DFDB10CFAAD985ADEFBF5AB48320F14841AE918A3350D378A950CF60
                                                                                                                                                                                                                      Function 017DB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 217 17db020-17db060 218 17db068-17db093 GetModuleHandleW 217->218 219 17db062-17db065 217->219 220 17db09c-17db0b0 218->220 221 17db095-17db09b 218->221 219->218 221->220
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 017DB086
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2320063609.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_17d0000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                                                                      • Opcode ID: 4b18b9e1916110808f6b3e8e617bf34f67081ec59c642e5b406e03daa82d5ff6
                                                                                                                                                                                                                      • Instruction ID: 885d2a6829281a487a53c5a5403118fe3b1986553200cb2248e8d3ce91e9046f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4b18b9e1916110808f6b3e8e617bf34f67081ec59c642e5b406e03daa82d5ff6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D3110FB6C003498FDB20CF9AC444B9EFBF4AB89320F14842AD928B7210C379A545CFA1
                                                                                                                                                                                                                      Function 06A61BA0 Relevance: 1.5, Instructions: 1454COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 223 6a61ba0-6a61bc3 224 6a61bc5-6a61bc7 223->224 225 6a61bd1-6a61c2d 223->225 224->225 230 6a62056-6a6205c 225->230 231 6a61c33-6a61c69 225->231 234 6a62094-6a6209e 230->234 235 6a6205e-6a62074 230->235 231->230 245 6a61c6f-6a61ca5 231->245 239 6a620b6-6a62119 234->239 240 6a620a0 234->240 236 6a62076-6a62093 235->236 237 6a620a5-6a620a6 235->237 236->234 241 6a620aa-6a620b4 237->241 242 6a620a8 237->242 257 6a62ea1-6a62eab 239->257 258 6a6211f-6a62139 239->258 240->237 241->239 242->239 245->230 253 6a61cab-6a61ce2 245->253 253->230 265 6a61ce8-6a61d1e 253->265 264 6a62ead-6a62ec1 257->264 258->257 262 6a6213f-6a6216f 258->262 279 6a62171-6a62187 262->279 280 6a62189-6a621d5 262->280 264->264 266 6a62ec3-6a62ee8 264->266 265->230 282 6a61d24-6a61d5a 265->282 268 6a62f00-6a62f78 266->268 269 6a62eea-6a62ef0 266->269 294 6a62fa2-6a62fa9 268->294 295 6a62f7a-6a62fa0 268->295 271 6a62ef4-6a62efe 269->271 272 6a62ef2 269->272 271->268 272->268 291 6a621dc-6a621f9 279->291 280->291 282->230 300 6a61d60-6a61d9e 282->300 291->257 301 6a621ff-6a62235 291->301 295->294 300->230 311 6a61da4-6a61ded 300->311 309 6a62237-6a6224d 301->309 310 6a6224f-6a6229b 301->310 318 6a622a2-6a622bf 309->318 310->318 311->230 327 6a61df3-6a61e29 311->327 318->257 322 6a622c5-6a622fb 318->322 331 6a62315-6a62361 322->331 332 6a622fd-6a62313 322->332 327->230 337 6a61e2f-6a61e65 327->337 341 6a62368-6a62385 331->341 332->341 337->230 348 6a61e6b-6a61ea1 337->348 341->257 346 6a6238b-6a623c1 341->346 354 6a623c3-6a623d9 346->354 355 6a623db-6a62427 346->355 348->230 359 6a61ea7-6a61edd 348->359 363 6a6242e-6a6244b 354->363 355->363 359->230 370 6a61ee3-6a61efa 359->370 363->257 368 6a62451-6a62487 363->368 377 6a624a1-6a624f9 368->377 378 6a62489-6a6249f 368->378 370->230 373 6a61f00-6a61f32 370->373 384 6a61f34-6a61f5a 373->384 385 6a61f5c-6a61f9e 373->385 387 6a62500-6a6251d 377->387 378->387 399 6a61fce-6a62001 384->399 403 6a61fa0-6a61fb6 385->403 404 6a61fbc-6a61fc8 385->404 387->257 395 6a62523-6a62559 387->395 406 6a62573-6a625d1 395->406 407 6a6255b-6a62571 395->407 399->230 412 6a62003-6a62039 399->412 403->404 404->399 415 6a625d8-6a625f5 406->415 407->415 412->230 423 6a6203b-6a62053 412->423 415->257 421 6a625fb-6a62631 415->421 428 6a62633-6a62649 421->428 429 6a6264b-6a626a9 421->429 434 6a626b0-6a626cd 428->434 429->434 434->257 438 6a626d3-6a62709 434->438 442 6a62723-6a62781 438->442 443 6a6270b-6a62721 438->443 448 6a62788-6a627a5 442->448 443->448 448->257 452 6a627ab-6a627c5 448->452 452->257 454 6a627cb-6a627fb 452->454 458 6a62815-6a62873 454->458 459 6a627fd-6a62813 454->459 464 6a6287a-6a62897 458->464 459->464 464->257 467 6a6289d-6a628b7 464->467 467->257 470 6a628bd-6a628ed 467->470 474 6a62907-6a62965 470->474 475 6a628ef-6a62905 470->475 480 6a6296c-6a62989 474->480 475->480 480->257 483 6a6298f-6a629a9 480->483 483->257 486 6a629af-6a629df 483->486 490 6a629e1-6a629f7 486->490 491 6a629f9-6a62a57 486->491 496 6a62a5e-6a62a7b 490->496 491->496 496->257 500 6a62a81-6a62ab7 496->500 504 6a62ad1-6a62b2f 500->504 505 6a62ab9-6a62acf 500->505 510 6a62b36-6a62b53 504->510 505->510 510->257 514 6a62b59-6a62b8f 510->514 518 6a62b91-6a62ba7 514->518 519 6a62ba9-6a62c07 514->519 524 6a62c0e-6a62c2b 518->524 519->524 524->257 528 6a62c31-6a62c67 524->528 532 6a62c81-6a62cdf 528->532 533 6a62c69-6a62c7f 528->533 538 6a62ce6-6a62d03 532->538 533->538 538->257 542 6a62d09-6a62d3f 538->542 546 6a62d41-6a62d57 542->546 547 6a62d59-6a62db7 542->547 552 6a62dbe-6a62ddb 546->552 547->552 552->257 555 6a62de1-6a62e13 552->555 560 6a62e15-6a62e2b 555->560 561 6a62e2d-6a62e82 555->561 566 6a62e89-6a62e9e 560->566 561->566
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324468236.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a60000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ccb427507a818868c6b3610cb75de0bccddf6ee76cad2c5c492267f566090dd5
                                                                                                                                                                                                                      • Instruction ID: 65eb924e8032bf5a4a5bf375279155de6a2038377cb10fa2047e4e4a097a22da
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ccb427507a818868c6b3610cb75de0bccddf6ee76cad2c5c492267f566090dd5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 90C22B70A002189FCB54DF64C994BADBBB6FF88700F118499E606AB3A1DF719E41DF61
                                                                                                                                                                                                                      Function 06A600D8 Relevance: .7, Instructions: 676COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 864 6a600d8-6a600fc 866 6a60114-6a60135 864->866 867 6a600fe-6a60104 864->867 872 6a60138-6a60145 866->872 868 6a60106 867->868 869 6a60108-6a6010a 867->869 868->866 869->866 874 6a6076a-6a60774 872->874 875 6a6014b-6a60160 872->875 875->872 877 6a60162 875->877 878 6a60337-6a6035d 877->878 879 6a602c4-6a602f2 877->879 880 6a60422-6a60445 877->880 881 6a60512-6a60535 877->881 882 6a60251-6a6027f 877->882 883 6a601de-6a60204 877->883 884 6a603aa-6a603cd 877->884 885 6a6049a-6a604bd 877->885 886 6a60169-6a6018c 877->886 902 6a60363-6a60365 878->902 911 6a602f4-6a602fa 879->911 912 6a6030a-6a60332 879->912 927 6a608bb-6a608ea 880->927 928 6a6044b-6a6044f 880->928 929 6a609ff-6a60a2e 881->929 930 6a6053b-6a6053f 881->930 905 6a60297-6a602bf 882->905 906 6a60281-6a60287 882->906 898 6a6020a-6a6020c 883->898 934 6a603d3-6a603d7 884->934 935 6a60819-6a60848 884->935 936 6a604c3-6a604c7 885->936 937 6a6095d-6a6098c 885->937 938 6a60777-6a607a6 886->938 939 6a60192-6a60196 886->939 907 6a60224-6a6024c 898->907 908 6a6020e-6a60214 898->908 909 6a60367-6a6036d 902->909 910 6a6037d-6a603a5 902->910 905->872 919 6a6028b-6a6028d 906->919 920 6a60289 906->920 907->872 915 6a60216 908->915 916 6a60218-6a6021a 908->916 917 6a60371-6a60373 909->917 918 6a6036f 909->918 910->872 924 6a602fe-6a60300 911->924 925 6a602fc 911->925 912->872 915->907 916->907 917->910 918->910 919->905 920->905 924->912 925->912 953 6a608f1-6a60920 927->953 940 6a60927-6a60956 928->940 941 6a60455-6a6045f 928->941 954 6a60a35-6a60a64 929->954 942 6a60545-6a6054f 930->942 943 6a60a6b-6a60d2e 930->943 944 6a60885-6a608b4 934->944 945 6a603dd-6a603e7 934->945 962 6a6084f-6a6087e 935->962 946 6a604cd-6a604d7 936->946 947 6a609c9-6a609f8 936->947 964 6a60993-6a609c2 937->964 967 6a607ad-6a607dc 938->967 948 6a607e3-6a60812 939->948 949 6a6019c-6a601a6 939->949 940->937 952 6a60465-6a60495 941->952 941->953 942->954 955 6a60555-6a60585 942->955 944->927 945->962 963 6a603ed-6a6041d 945->963 946->964 965 6a604dd-6a6050d 946->965 947->929 948->935 966 6a601ac-6a601d9 949->966 949->967 952->872 953->940 954->943 955->872 962->944 963->872 964->947 965->872 966->872 967->948
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324468236.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a60000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1f506e848fe934b553de58f914533237d85930d8d5d03ade56e252cf6516db7c
                                                                                                                                                                                                                      • Instruction ID: 1cbd081cca0282f0d5d2e230e960a31ce5ae36eadcec5c7f52074254894b5f96
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1f506e848fe934b553de58f914533237d85930d8d5d03ade56e252cf6516db7c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 04427730B00715CFDB68AF79D85066EBAB2FBC5604B005A5CD503AB391CFBAEC458B95
                                                                                                                                                                                                                      Function 06A63838 Relevance: .6, Instructions: 634COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 1073 6a63838-6a6385e 1074 6a63876-6a638cf 1073->1074 1075 6a63860-6a63866 1073->1075 1083 6a63e77-6a63e99 1074->1083 1084 6a638d5-6a63914 1074->1084 1076 6a6386a-6a63874 1075->1076 1077 6a63868 1075->1077 1076->1074 1077->1074 1087 6a63e6a-6a63e74 1083->1087 1088 6a63e9b-6a63f08 1083->1088 1084->1083 1093 6a6391a-6a63936 1084->1093 1106 6a63f0e-6a63f2a 1088->1106 1107 6a63fd9-6a63fe0 1088->1107 1093->1083 1096 6a6393c-6a63973 1093->1096 1104 6a63975-6a63999 1096->1104 1105 6a6399e-6a63a05 1096->1105 1118 6a63a3b-6a63a55 1104->1118 1123 6a63a27-6a63a35 1105->1123 1124 6a63a07-6a63a21 1105->1124 1114 6a63f52-6a63f90 1106->1114 1115 6a63f2c-6a63f50 1106->1115 1134 6a63f92-6a63fa5 1114->1134 1135 6a63fab-6a63fb4 1114->1135 1131 6a63fba-6a63fd3 1115->1131 1118->1083 1125 6a63a5b-6a63a92 1118->1125 1123->1118 1124->1123 1138 6a63a94-6a63ab8 1125->1138 1139 6a63abd-6a63b20 1125->1139 1131->1106 1131->1107 1134->1135 1135->1131 1147 6a63b56-6a63b70 1138->1147 1150 6a63b42-6a63b50 1139->1150 1151 6a63b22-6a63b3c 1139->1151 1147->1083 1152 6a63b76-6a63bad 1147->1152 1150->1147 1151->1150 1156 6a63baf-6a63bd3 1152->1156 1157 6a63bd8-6a63c3b 1152->1157 1164 6a63c71-6a63c8b 1156->1164 1167 6a63c5d-6a63c6b 1157->1167 1168 6a63c3d-6a63c57 1157->1168 1164->1083 1169 6a63c91-6a63cc8 1164->1169 1167->1164 1168->1167 1173 6a63cf3-6a63d56 1169->1173 1174 6a63cca-6a63cee 1169->1174 1183 6a63d78-6a63d86 1173->1183 1184 6a63d58-6a63d72 1173->1184 1181 6a63d8c-6a63da6 1174->1181 1181->1083 1186 6a63dac-6a63de0 1181->1186 1183->1181 1184->1183 1190 6a63de2-6a63e06 1186->1190 1191 6a63e08-6a63e58 1186->1191 1198 6a63e5f-6a63e64 1190->1198 1191->1198 1198->1087
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324468236.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a60000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3bcf521891f72f0e2cdcc67027bdecd61fc933de94c4a30bfda27f260ba74b35
                                                                                                                                                                                                                      • Instruction ID: 4799c6485c22b5e101a2b29928460f93e8ed44c18e488aebb6d485c51c90d5c4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3bcf521891f72f0e2cdcc67027bdecd61fc933de94c4a30bfda27f260ba74b35
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 09420474B002149FCB44DF69C994AAEBBF6AF89704F118099E606EB3A1DB71ED41CB50
                                                                                                                                                                                                                      Function 06A60D80 Relevance: .6, Instructions: 618COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 1200 6a60d80-6a60dcb 1205 6a60dd1-6a60dd3 1200->1205 1206 6a60efd-6a60f10 1200->1206 1207 6a60dd6-6a60de5 1205->1207 1209 6a61006-6a61011 1206->1209 1210 6a60f16-6a60f25 1206->1210 1212 6a60e9d-6a60ea1 1207->1212 1213 6a60deb-6a60e1d 1207->1213 1215 6a61019-6a61022 1209->1215 1220 6a60fd1-6a60fd5 1210->1220 1221 6a60f2b-6a60f51 1210->1221 1216 6a60ea3-6a60eae 1212->1216 1217 6a60eb0 1212->1217 1248 6a60e26-6a60e2d 1213->1248 1249 6a60e1f-6a60e24 1213->1249 1219 6a60eb5-6a60eb8 1216->1219 1217->1219 1219->1215 1222 6a60ebe-6a60ec2 1219->1222 1223 6a60fd7-6a60fe2 1220->1223 1224 6a60fe4 1220->1224 1250 6a60f53-6a60f58 1221->1250 1251 6a60f5a-6a60f61 1221->1251 1227 6a60ec4-6a60ecf 1222->1227 1228 6a60ed1 1222->1228 1229 6a60fe6-6a60fe8 1223->1229 1224->1229 1234 6a60ed3-6a60ed5 1227->1234 1228->1234 1232 6a60fea-6a60ff4 1229->1232 1233 6a61039-6a61050 1229->1233 1243 6a60ff7-6a61000 1232->1243 1253 6a61052-6a61087 1233->1253 1254 6a61088-6a610b5 1233->1254 1238 6a61025-6a61032 1234->1238 1239 6a60edb-6a60ee5 1234->1239 1238->1233 1252 6a60ee8-6a60ef2 1239->1252 1243->1209 1243->1210 1256 6a60e52-6a60e76 1248->1256 1257 6a60e2f-6a60e50 1248->1257 1255 6a60e91-6a60e9b 1249->1255 1258 6a60fc5-6a60fcf 1250->1258 1259 6a60f86-6a60faa 1251->1259 1260 6a60f63-6a60f84 1251->1260 1252->1207 1261 6a60ef8 1252->1261 1253->1254 1284 6a610bb-6a610bd 1254->1284 1285 6a61189-6a6119c 1254->1285 1255->1252 1275 6a60e8e 1256->1275 1276 6a60e78-6a60e7e 1256->1276 1257->1255 1258->1243 1277 6a60fc2 1259->1277 1278 6a60fac-6a60fb2 1259->1278 1260->1258 1261->1215 1275->1255 1279 6a60e82-6a60e84 1276->1279 1280 6a60e80 1276->1280 1277->1258 1281 6a60fb6-6a60fb8 1278->1281 1282 6a60fb4 1278->1282 1279->1275 1280->1275 1281->1277 1282->1277 1286 6a610c0-6a610cf 1284->1286 1289 6a61234-6a6123f 1285->1289 1290 6a611a2-6a611b1 1285->1290 1291 6a610d1-6a610dd 1286->1291 1292 6a61129-6a6112d 1286->1292 1296 6a61247-6a61250 1289->1296 1299 6a611b3-6a611dc 1290->1299 1300 6a611ff-6a61203 1290->1300 1305 6a610e7-6a610fe 1291->1305 1293 6a6112f-6a6113a 1292->1293 1294 6a6113c 1292->1294 1298 6a61141-6a61144 1293->1298 1294->1298 1298->1296 1304 6a6114a-6a6114e 1298->1304 1323 6a611f4-6a611fd 1299->1323 1324 6a611de-6a611e4 1299->1324 1302 6a61205-6a61210 1300->1302 1303 6a61212 1300->1303 1308 6a61214-6a61216 1302->1308 1303->1308 1306 6a61150-6a6115b 1304->1306 1307 6a6115d 1304->1307 1314 6a61104-6a61106 1305->1314 1313 6a6115f-6a61161 1306->1313 1307->1313 1311 6a61267-6a6127c 1308->1311 1312 6a61218-6a61222 1308->1312 1337 6a612b4-6a612b7 1311->1337 1338 6a6127e-6a612af 1311->1338 1328 6a61225-6a6122e 1312->1328 1317 6a61167-6a61171 1313->1317 1318 6a61253-6a61260 1313->1318 1320 6a6111e-6a61127 1314->1320 1321 6a61108-6a6110e 1314->1321 1335 6a61174-6a6117e 1317->1335 1318->1311 1320->1335 1326 6a61112-6a61114 1321->1326 1327 6a61110 1321->1327 1323->1328 1329 6a611e6 1324->1329 1330 6a611e8-6a611ea 1324->1330 1326->1320 1327->1320 1328->1289 1328->1290 1329->1323 1330->1323 1335->1286 1336 6a61184 1335->1336 1336->1296 1339 6a612bb-6a612bd 1337->1339 1340 6a612b9 1337->1340 1342 6a612c7-6a612e9 1338->1342 1343 6a612b1 1338->1343 1339->1342 1340->1342 1346 6a612ec-6a612f0 1342->1346 1343->1337 1347 6a612f2-6a612f7 1346->1347 1348 6a612f9-6a612fe 1346->1348 1349 6a61304-6a61307 1347->1349 1348->1349 1350 6a6130d-6a61322 1349->1350 1351 6a614f8-6a61500 1349->1351 1350->1346 1353 6a61324 1350->1353 1354 6a613e0-6a61405 1353->1354 1355 6a6132b-6a61350 1353->1355 1356 6a61498 1353->1356 1366 6a61407-6a61409 1354->1366 1367 6a6140b-6a6140f 1354->1367 1368 6a61356-6a6135a 1355->1368 1369 6a61352-6a61354 1355->1369 1358 6a614a2-6a614b9 1356->1358 1362 6a614bf-6a614f3 1358->1362 1362->1346 1371 6a6146d-6a61493 1366->1371 1372 6a61430-6a61453 1367->1372 1373 6a61411-6a6142e 1367->1373 1375 6a6135c-6a61379 1368->1375 1376 6a6137b-6a6139e 1368->1376 1374 6a613b8-6a613db 1369->1374 1371->1346 1392 6a61455-6a6145b 1372->1392 1393 6a6146b 1372->1393 1373->1371 1374->1346 1375->1374 1390 6a613b6 1376->1390 1391 6a613a0-6a613a6 1376->1391 1390->1374 1396 6a613aa-6a613ac 1391->1396 1397 6a613a8 1391->1397 1394 6a6145f-6a61461 1392->1394 1395 6a6145d 1392->1395 1393->1371 1394->1393 1395->1393 1396->1390 1397->1390
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324468236.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a60000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7b52a36dbc0d740de27f3914aa1069932ca5031245d0b6dce975d0bbaf1b73ed
                                                                                                                                                                                                                      • Instruction ID: 452b1ae91513f80b5010d0d58dd5848c26d3bc47e459a4e10cc5f64c4047a843
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7b52a36dbc0d740de27f3914aa1069932ca5031245d0b6dce975d0bbaf1b73ed
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D832A070B002059FDB54AB6AC944A6EBBF6FF89304B158469F506DB3A2DF70DC41CBA1
                                                                                                                                                                                                                      Function 06A748A8 Relevance: .5, Instructions: 504COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 1398 6a748a8-6a748b0 1399 6a74917-6a74933 1398->1399 1400 6a748b2-6a74900 call 6a74650 1398->1400 1408 6a74935-6a7493a 1399->1408 1409 6a7493f-6a7494b 1399->1409 1415 6a74906-6a7490a 1400->1415 1416 6a74902-6a74904 1400->1416 1410 6a74a1b-6a74a21 1408->1410 1418 6a7497e-6a7498a 1409->1418 1419 6a7494d-6a74979 call 6a73f50 1409->1419 1412 6a74a27-6a74a47 1410->1412 1413 6a74a23 1410->1413 1431 6a74a53-6a74a68 1412->1431 1432 6a74a49-6a74a4e 1412->1432 1413->1412 1417 6a74910 1415->1417 1416->1417 1417->1399 1424 6a74996-6a749aa 1418->1424 1425 6a7498c-6a74991 1418->1425 1419->1410 1435 6a74a16 1424->1435 1436 6a749ac-6a749ce 1424->1436 1425->1410 1444 6a74a6e-6a74a7e 1431->1444 1445 6a74aeb 1431->1445 1434 6a74af0-6a74afe 1432->1434 1442 6a74b16-6a74b22 1434->1442 1443 6a74b00-6a74b04 1434->1443 1435->1410 1456 6a749f4-6a74a0d 1436->1456 1457 6a749d0-6a749f2 1436->1457 1449 6a74c06-6a74c3a 1442->1449 1450 6a74b28-6a74b44 1442->1450 1448 6a74b0c-6a74b0e 1443->1448 1453 6a74a92-6a74a97 1444->1453 1454 6a74a80-6a74a90 1444->1454 1445->1434 1448->1442 1471 6a74c52-6a74c54 1449->1471 1472 6a74c3c-6a74c50 1449->1472 1465 6a74bf2-6a74c00 1450->1465 1453->1434 1454->1453 1464 6a74a99-6a74aa9 1454->1464 1456->1435 1473 6a74a0f-6a74a14 1456->1473 1457->1435 1457->1456 1476 6a74ab2-6a74ac2 1464->1476 1477 6a74aab-6a74ab0 1464->1477 1465->1449 1468 6a74b49-6a74b52 1465->1468 1474 6a74e11-6a74e38 1468->1474 1475 6a74b58-6a74b6b 1468->1475 1478 6a74c56-6a74c68 1471->1478 1479 6a74c84-6a74cc6 call 6a75508 1471->1479 1472->1471 1473->1410 1488 6a74e3e-6a74e40 1474->1488 1489 6a74ecc-6a74f08 1474->1489 1475->1474 1480 6a74b71-6a74b83 1475->1480 1486 6a74ac4-6a74ac9 1476->1486 1487 6a74acb-6a74adb 1476->1487 1477->1434 1478->1479 1494 6a74c6a-6a74c7c 1478->1494 1508 6a74ccc-6a74ce0 1479->1508 1495 6a74b85-6a74b91 1480->1495 1496 6a74bef 1480->1496 1486->1434 1502 6a74ae4-6a74ae9 1487->1502 1503 6a74add-6a74ae2 1487->1503 1488->1489 1493 6a74e46-6a74e48 1488->1493 1527 6a74f73-6a74f94 1489->1527 1528 6a74f0a-6a74f0c 1489->1528 1493->1489 1499 6a74e4e-6a74e52 1493->1499 1494->1479 1495->1474 1501 6a74b97-6a74bec 1495->1501 1496->1465 1499->1489 1504 6a74e54-6a74e58 1499->1504 1501->1496 1502->1434 1503->1434 1509 6a74e6a-6a74eac 1504->1509 1510 6a74e5a-6a74e68 1504->1510 1521 6a74d27-6a74d74 1508->1521 1522 6a74ce2-6a74cf9 1508->1522 1516 6a74eb4-6a74ec9 1509->1516 1510->1516 1553 6a74d76-6a74d8f 1521->1553 1554 6a74dc8-6a74ddf 1521->1554 1538 6a74d07-6a74d1f call 6a73f50 1522->1538 1539 6a74cfb-6a74d05 1522->1539 1532 6a74f50-6a74f71 1528->1532 1533 6a74f0e-6a74f1d 1528->1533 1532->1527 1543 6a74f1f-6a74f2c 1533->1543 1544 6a74f2d-6a74f37 1533->1544 1538->1521 1539->1538 1556 6a74f46-6a74f4c 1544->1556 1557 6a74f39-6a74f44 1544->1557 1563 6a74d91 1553->1563 1564 6a74d99-6a74dc5 1553->1564 1565 6a74e05-6a74e0e 1554->1565 1566 6a74de1-6a74dfc 1554->1566 1562 6a74f4e 1556->1562 1557->1562 1562->1532 1563->1564 1564->1554 1566->1565
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 8128b0a25268a3757a0193823dbf670a15cdff1902282606f7747e9fcc2cb382
                                                                                                                                                                                                                      • Instruction ID: 143c9e02b033445b0a5ce63a41ee3fec8d168e6a06c1e62d6acd1484a33a5f78
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8128b0a25268a3757a0193823dbf670a15cdff1902282606f7747e9fcc2cb382
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B3121934B00605CFDB54EF29C984A6ABBF2FF89305B1584A9E506DB762DB34EC45CB90
                                                                                                                                                                                                                      Function 06A64BEC Relevance: .5, Instructions: 459COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324468236.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a60000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 17c34f6bc11193c5a6d30d203cfa8cfdd35d5898239ac85721b9621e70a797c7
                                                                                                                                                                                                                      • Instruction ID: 0e36b1164304b52edd6b40449b68dc65e00c7a5f6eff2a586f9e5e964a3e9cfd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 17c34f6bc11193c5a6d30d203cfa8cfdd35d5898239ac85721b9621e70a797c7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B791CB70B00205CFDB54AF79C854A6EBBF6EF89200B1585AAE516CB3A2DF34DC05CB60
                                                                                                                                                                                                                      Function 06A73F50 Relevance: .4, Instructions: 397COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: cb47e015741673f3a61d72ed0d6b572cf4c93c1ecaa6579d614921d8bd9a38d7
                                                                                                                                                                                                                      • Instruction ID: 1c8fd086586ebb72d9029bd17256d1007dc33dae5902b3e69a364bc9991518bd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cb47e015741673f3a61d72ed0d6b572cf4c93c1ecaa6579d614921d8bd9a38d7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 64E11D34B002158FCB54EF69C9949AEBBF6FF88710B158169D906EB365DB71DC01CBA0
                                                                                                                                                                                                                      Function 06A600B9 Relevance: .3, Instructions: 333COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324468236.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a60000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7d014e4d106cad1d187df2234ddcad099975fa42deed9ffe350018b2359f3473
                                                                                                                                                                                                                      • Instruction ID: eef2c6705c0ad01daaa0368403afb44ea57429f664a2601a31c7cfa302a50737
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7d014e4d106cad1d187df2234ddcad099975fa42deed9ffe350018b2359f3473
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B9C15E34B00204DFEB449BA5C958B697AB6FF89704F108459FA02DB3A1CFB5DD81CB61
                                                                                                                                                                                                                      Function 06A61530 Relevance: .2, Instructions: 199COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324468236.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a60000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 30767561b2f30755f95c1c9ada7f019ef01b473a01d4a5eee38b49b5a504ba1c
                                                                                                                                                                                                                      • Instruction ID: 9dfa3e269cfbc22dca2d7f6ea1c8176094340673fb4ea124453ae7310c46a7b9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 30767561b2f30755f95c1c9ada7f019ef01b473a01d4a5eee38b49b5a504ba1c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9171D178B002449FDB40EBA9C85496EBBF6EF85300B14845AE812DB3A2DF74DC01CF50
                                                                                                                                                                                                                      Function 06A73F3F Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 347dd4b1e35e1242cccf2f3a0f035a8bdc8a78468540b8a5d8fb124d69a11bc5
                                                                                                                                                                                                                      • Instruction ID: 0f1bd0236c24be45fe41939f958bdd7b65622954b7f90d260af54716b4e1e8b8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 347dd4b1e35e1242cccf2f3a0f035a8bdc8a78468540b8a5d8fb124d69a11bc5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9E610C34F006168FCB54EF69C9446AEBBF6EF88600B158169D906EB765DB71DC01CBA0
                                                                                                                                                                                                                      Function 06A77D58 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 41e8c23216a97879583395cf9e5b75b27f8911b53bef1dcb2b42be8b4b49e7ce
                                                                                                                                                                                                                      • Instruction ID: 39739dcb77ad123be4ae5c68623aabcf4bb17943762529cff1a9d32012554c2d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 41e8c23216a97879583395cf9e5b75b27f8911b53bef1dcb2b42be8b4b49e7ce
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AC513371E0021DDFDB54DFA9C980BEEBBF6AF88710F14852AE815AB244DB749841CF81
                                                                                                                                                                                                                      Function 06A63328 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324468236.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a60000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e8520ede3bc014877675656fdf2669c95f946a908daef283c56641f3a67ee695
                                                                                                                                                                                                                      • Instruction ID: 6715a21cf003e64d668f72550f721925bac1848f33afa37f89296ae1d3e6dc52
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e8520ede3bc014877675656fdf2669c95f946a908daef283c56641f3a67ee695
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 94513935B10218AFCB44DF69C8849AEBBB2FF89710B15806AF905EB361DB71EC05CB50
                                                                                                                                                                                                                      Function 06A634D8 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324468236.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a60000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: fa53f8c340fd2ff401452a0840f87a5a97246db51bc16116aa58f9fd5fb1f7ac
                                                                                                                                                                                                                      • Instruction ID: de63a508b8ce907340b2523ed4a051b5b63ae37c9d9e16aa041f260eeac02772
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fa53f8c340fd2ff401452a0840f87a5a97246db51bc16116aa58f9fd5fb1f7ac
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 04513635B106099FCB44DF69C8849AEBBF2EF89714B15806AF906EB361DB71EC05CB50
                                                                                                                                                                                                                      Function 06A77D4C Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: d0541c96fbf8bd0028a9c5aa9933d06945b1de6a00d4ee0bbc4c3d51e773cb08
                                                                                                                                                                                                                      • Instruction ID: 5b3f054004f32c822a53dd1f93641d492d7d9cd1ec36e54a068652c8c1e2b59e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d0541c96fbf8bd0028a9c5aa9933d06945b1de6a00d4ee0bbc4c3d51e773cb08
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F45134B0E0025D9FDB55DFA9C984BDEBBF6BF48700F14842AE815AB280DB749845CF91
                                                                                                                                                                                                                      Function 06A61290 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324468236.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a60000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6d03140323e584988acdbae62333de0bd61843f9c9983cd4d9048f6bae369cd8
                                                                                                                                                                                                                      • Instruction ID: 419dc09ec33473ebc26999c7169844587b4da7d9bea7b35d9ffbbe2583ab5703
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6d03140323e584988acdbae62333de0bd61843f9c9983cd4d9048f6bae369cd8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 144165B47102019FD7445BAE9854B6F7AABAFC9B04F114465FB02DB7A2CFB1DC018791
                                                                                                                                                                                                                      Function 06A73DE0 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ba0772a1985b50c79cb269a8c2311c8dec586da1e504ed1e81fedf8739c4989f
                                                                                                                                                                                                                      • Instruction ID: 315c3bd722ee37492616dc45d1b0c76a11116bda36b74a90c4f109c2b0974c99
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ba0772a1985b50c79cb269a8c2311c8dec586da1e504ed1e81fedf8739c4989f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9931F2317053518FC71AA738A8504AE7BE6DFC622031644AED44ACF781CE35DC4BC7A5
                                                                                                                                                                                                                      Function 06A784C8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e24deba4465e8eb1a1de008a63c635df37ec70caec4894ae913e4ffd9b67a9ac
                                                                                                                                                                                                                      • Instruction ID: dcc1ba3ac341287fc139b651e4185a3ff8b2c53de8dadd79e6fbdb8ad35d5da3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e24deba4465e8eb1a1de008a63c635df37ec70caec4894ae913e4ffd9b67a9ac
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1931D1717002149BDB09AF79E8641BE3BE7EFC8210750447ED60ACB385EE359D0687E2
                                                                                                                                                                                                                      Function 06A75579 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 77fbbfe2cca4bade4d2c7d718659c5c8b4d29b6c23a035335a050dbf48583462
                                                                                                                                                                                                                      • Instruction ID: 25ccc8c54d9337d8b68206939368067572a996354b39bf348e82812e96a83475
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 77fbbfe2cca4bade4d2c7d718659c5c8b4d29b6c23a035335a050dbf48583462
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6A317A35B012119FCB05DF38D88496E7BF2BF89701B058469EA06CB365DB30ED05CB90
                                                                                                                                                                                                                      Function 06A75588 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 32c6b8f1c4fbc10cde095462d5b5eebc915705ef188f00d7661e0e9fc20f77aa
                                                                                                                                                                                                                      • Instruction ID: 000c35bdd66c5b37ae2f3dd54c20b942819eeeb9923a575d95778fbe2d829ba4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 32c6b8f1c4fbc10cde095462d5b5eebc915705ef188f00d7661e0e9fc20f77aa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6D315534B012109FCB49EF38D88496EBBF2FF89210B018469EE068B365DB30ED01CB90
                                                                                                                                                                                                                      Function 06A787A0 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 58cff16cf917d6fc2653c9caa1d26a2a0cc98666f37eebc50288dceb494d8c17
                                                                                                                                                                                                                      • Instruction ID: 69794dbdc67d6f4fb4f174ed6beb454082708dea705f9dbcbc0e4f192556be9d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 58cff16cf917d6fc2653c9caa1d26a2a0cc98666f37eebc50288dceb494d8c17
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AD4102B1D01248DFDB54DFAAD944ADEFBF6AF88310F14802AE815BB250DB34A945CF90
                                                                                                                                                                                                                      Function 06A61515 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324468236.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a60000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: b96ee7a24b4f3d4bd19925881a79e2ea447ac14dbec002eb3c84190bd8ba48a2
                                                                                                                                                                                                                      • Instruction ID: cfd77a4d31f9eadb966c725412361727cb3064e287797d4c6c5149e6d647fedc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b96ee7a24b4f3d4bd19925881a79e2ea447ac14dbec002eb3c84190bd8ba48a2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F431C174B002449FDB009FA9C9548AEBFF6EF85210B15416AE816DB3A2CB74DD01CBA1
                                                                                                                                                                                                                      Function 06A78797 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 8cf0ecff6b74d60def02925716f0af2f4f58376dfdb56b87b7bb5385f92ae7d1
                                                                                                                                                                                                                      • Instruction ID: d93e3a662f98b0f3797f71dd5ab0ddba8d851d9b47215377537667d64423452f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8cf0ecff6b74d60def02925716f0af2f4f58376dfdb56b87b7bb5385f92ae7d1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 233103B1D012499FDB54DFAAC944BDEBFF6AF88310F14802AE415BB290DB74A945CF90
                                                                                                                                                                                                                      Function 06A78A98 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f03699f48230eaa66d2afd1873de7dd8d1629c97b8dd743677beb80548f51069
                                                                                                                                                                                                                      • Instruction ID: 865bed38fbb607202ae1c829ada1b9744b3cec0b4a1c3283eff1252e3312e70d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f03699f48230eaa66d2afd1873de7dd8d1629c97b8dd743677beb80548f51069
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 523114B1D01218DFDB54DFA9D894BDEBBF5BF88310F14802AE405B7240C778A845CB90
                                                                                                                                                                                                                      Function 0166D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2319788416.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_166d000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 441c7a91833aa558d951d050ae61e8e9f0658841ae70ca5535080b90c05004a9
                                                                                                                                                                                                                      • Instruction ID: 013d4ae75d43c758423b8cd89e6bb07d12c158c1ff630f76fc079258fb344963
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 441c7a91833aa558d951d050ae61e8e9f0658841ae70ca5535080b90c05004a9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E0213672200244EFDB05DF44D9C0B6ABF69FB88324F20C16CD94A0B256C336E856CAA1
                                                                                                                                                                                                                      Function 06A61068 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324468236.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a60000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 17c4b1297f90a12993de25c546af729dd17be6bc3eb2eb510e64d7447053dc93
                                                                                                                                                                                                                      • Instruction ID: 0f03ead25e6494110c17f19949ea74427f874bac855b0ac23651b61b314b45a5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 17c4b1297f90a12993de25c546af729dd17be6bc3eb2eb510e64d7447053dc93
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03219F30B001049FDB44AB6ED9449AEBBFAFFD8210B158569E5269B7A1DB30CD10CBA1
                                                                                                                                                                                                                      Function 0167D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2319823019.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_167d000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e57e07b6ba0a5eafb31af54a1ad3fac129fd3ee0b85a91502d559f6592463eea
                                                                                                                                                                                                                      • Instruction ID: 5c8dddaf4870facd67f33fb4517dc506c3eed01e2210182cb33365528c367db6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e57e07b6ba0a5eafb31af54a1ad3fac129fd3ee0b85a91502d559f6592463eea
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03210075604200EFDB16DF64D980B26BB61EF84314F20C96DD90A0B392C37AD447CA61
                                                                                                                                                                                                                      Function 06A78F43 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 334e18e2f9ca5c08084ffdedbaee6ef0c47ff0b4bd6588bf44ace510515146cb
                                                                                                                                                                                                                      • Instruction ID: f109958cc8304cc5f12269305ff2ffd4a7f86b71455e141cb516d3b5cf2cfb67
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 334e18e2f9ca5c08084ffdedbaee6ef0c47ff0b4bd6588bf44ace510515146cb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3B211374D0525ADFCB40DFA8D888AEEBBB1EF09311F1041AAE415AB351D7385A81CB90
                                                                                                                                                                                                                      Function 06A78A8C Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9e34c5ef34e99817ad5616f7b0b72100b8ef6c2d9aa1a0862f5a8fdbda4cd38c
                                                                                                                                                                                                                      • Instruction ID: 4c8da2254f654ee8a5a135c224cbbdaa7471338d5bf121025f3e83ca3e0fb4cf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9e34c5ef34e99817ad5616f7b0b72100b8ef6c2d9aa1a0862f5a8fdbda4cd38c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 742135B1D01349AFDB14DFA9C894BDEBFF9AF88310F14842AE405A7241DB74A845CBA0
                                                                                                                                                                                                                      Function 06A76E73 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2f11e3295369b0048ce304344e3728487ac2b608d04b68030971f1ac98807671
                                                                                                                                                                                                                      • Instruction ID: 50105188c34d169856ce020876739c89e9ca10961a6640d9cceb1be52ff1e178
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2f11e3295369b0048ce304344e3728487ac2b608d04b68030971f1ac98807671
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AF01923220E2E92EC7524AA95C10CFB7FEDDA8F161709419BFAD5C6153C0188A66D7B1
                                                                                                                                                                                                                      Function 06A64B3C Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324468236.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a60000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c7b99cd68a37e962399c466c4e2cad7265e295063fccc0720c943d7278245bce
                                                                                                                                                                                                                      • Instruction ID: c9b75fbd52bb98702335edd2aa4feec09ab83842420b0416e0d8b3db55f2fc2e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c7b99cd68a37e962399c466c4e2cad7265e295063fccc0720c943d7278245bce
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 25116AB27402069FCB44DBB8C854A6EFBF2FFC8610B108469D25ADB3A1DE71E805CB51
                                                                                                                                                                                                                      Function 0166D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2319788416.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_166d000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                                                                      • Instruction ID: 91900e32326ba5df87661f0cf27d05bcbfb702c1f7bee489a5a6fa263652b7d2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0C11DFB6504280DFCB02CF44D9C0B56BF71FB84324F24C2A9D8490B257C33AE856CBA1
                                                                                                                                                                                                                      Function 0167D017 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2319823019.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_167d000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                                                                                                                                                                      • Instruction ID: 88e4ad97f46bdb9a9e1805b38277984b730604a883a3219fb2afa0f5c21eb0a9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D811BB75504280CFCB12CF54D9C4B15BBA2FB84314F28CAAAD8094B796C33AD40ACBA2
                                                                                                                                                                                                                      Function 06A7BC5F Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a674d6dc2199d518d70fc0e596b3e192d1d27ac013e591f98d1de9de5382fb8c
                                                                                                                                                                                                                      • Instruction ID: 5aa8e392e608998e8c3531bee4cda3a0ef2f9c26f28ec2e15e8b442c945cad5f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a674d6dc2199d518d70fc0e596b3e192d1d27ac013e591f98d1de9de5382fb8c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 560192312002069FD798AB38E854A6E7BA7FFC1254B54482CD64B87B40DE707D4AC7F5
                                                                                                                                                                                                                      Function 06A78350 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f1f36934afaa56ea60da76edadc91e692a541003d7078dcc480ae467d84b27d7
                                                                                                                                                                                                                      • Instruction ID: 00eba52cca8dfdf66832b7d46d322a7fabbb13bc5c222489f28eaf9f9632ca42
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f1f36934afaa56ea60da76edadc91e692a541003d7078dcc480ae467d84b27d7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7F018F31B001199BDF10DEADEC98ABFF7FAEBD4661B14403AE605D3240EB74991587A1
                                                                                                                                                                                                                      Function 06A7C499 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 85f41907e6cd90d450d5e2a3f878265a786a56604f56a5891cc6dd1afdf3b6cb
                                                                                                                                                                                                                      • Instruction ID: 5be2e9566b0c7ee822ce6bdb25d1f74d9d5df466840515138d7dd56a2dc78f65
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 85f41907e6cd90d450d5e2a3f878265a786a56604f56a5891cc6dd1afdf3b6cb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2501A1342007068BE364AF69E41465A7BE3FFC5315F108A2DD14A87740CF74A80ACBA1
                                                                                                                                                                                                                      Function 06A7BC70 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4e3abd510e1e04f6f6fc12a989cf23a986caaf513f26bdd7c3eac66ef348320a
                                                                                                                                                                                                                      • Instruction ID: 4a4ec0de07cfcfa866829bae17a667e3f20df8748f5a7629000159f3193f7df0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4e3abd510e1e04f6f6fc12a989cf23a986caaf513f26bdd7c3eac66ef348320a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 35018F3120020A8FDA88A738E85452E7BA7FFC1254754582CD20B8BB40DEB07D4AC7F6
                                                                                                                                                                                                                      Function 0166DAA5 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2319788416.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_166d000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 8d79c286e8a660947de419883ee3b85ac2e5210be29f59864b63d23068ccf8e8
                                                                                                                                                                                                                      • Instruction ID: 308c4eaea2f98fe5d4dfb2fe9611850c52ff213ae860505a228a828cb2a4a700
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8d79c286e8a660947de419883ee3b85ac2e5210be29f59864b63d23068ccf8e8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0A01F77160C3409EE7104F99CD84B2BBF9CDF41370F18C45AEE480A286C7B89441CBB1
                                                                                                                                                                                                                      Function 06A7C4A8 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0ae00ee6c68b324ad9e17efa489119b0d06ced6978b0c3611462c031de2d03f8
                                                                                                                                                                                                                      • Instruction ID: 7025f981baefd04779b69caebdca3fa1f317284a2362fc7ee1641f3212245ae9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0ae00ee6c68b324ad9e17efa489119b0d06ced6978b0c3611462c031de2d03f8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EB01B53420060A8FE314EF66E44465A7BE3FFC5715B108A2CC14B87740CF74AC0ACBA1
                                                                                                                                                                                                                      Function 06A75508 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: be72fca4a7f48f1b9d3db54647cc1eb6b721f228077f6cdea630f87534c0086a
                                                                                                                                                                                                                      • Instruction ID: 7dced5d4fa2dc7dbfa43cf9fa5f23b7619c12e587ab42f643504012d67496c99
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: be72fca4a7f48f1b9d3db54647cc1eb6b721f228077f6cdea630f87534c0086a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8D018130E01712CFDBA9AB39F804527B7F7BF84619714883CD5068AA14DEB5E481CBD0
                                                                                                                                                                                                                      Function 06A7E8B0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1dee8093d95cedf51e57d684ae30e821261f94ad3742a4657e789f826636f135
                                                                                                                                                                                                                      • Instruction ID: ea226feba8004f96db075a384a5731ef538ee9579771665c244b8d4929661073
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1dee8093d95cedf51e57d684ae30e821261f94ad3742a4657e789f826636f135
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5A01AD34618309DFCB05AF64D8148693FB6EF8620071488EDE5458B221DA329C11DB91
                                                                                                                                                                                                                      Function 06A78F50 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4abc46e191fec10f1d51bebc47e087f281c8e8d996781d075a212a304ea10925
                                                                                                                                                                                                                      • Instruction ID: f64c9525892e50e4dea54c4eb597d7222ba1c3e633160647c8dbb4dfa2eb0060
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4abc46e191fec10f1d51bebc47e087f281c8e8d996781d075a212a304ea10925
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4C01D2B4D0520AEFDB44EFA9D9496AEBBF1BF49301F1095AAD815A3340E7780A40CF91
                                                                                                                                                                                                                      Function 0166DAA4 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2319788416.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_166d000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7b1ae5444f3f6e67d0a7691dbd24fbad8f4b9f11e1c3b5a0a70a4cd5765989aa
                                                                                                                                                                                                                      • Instruction ID: 888c3c38a1047837d344aca276fbf844869e3af0db146059ab53b573bf82cf7c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7b1ae5444f3f6e67d0a7691dbd24fbad8f4b9f11e1c3b5a0a70a4cd5765989aa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 68F0C2B1504344AEE7108E09CDC4B62FF9CEB41674F18C45AEE480B386C3789840CAB1
                                                                                                                                                                                                                      Function 06A7B358 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 32c3829391c904d9cb5e376f43c217bfafe95295edafeae07882ca282255c4b5
                                                                                                                                                                                                                      • Instruction ID: 08e5c793542b6c839d3edb535b8ef2296bf654651b698d24b23c44b127729c92
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 32c3829391c904d9cb5e376f43c217bfafe95295edafeae07882ca282255c4b5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 22011634A0120AEFCB44EFA9E98479CBBB2FB85205F1045ACD905A7310EB341E85DB65
                                                                                                                                                                                                                      Function 06A73EC8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e0fb0f85eca920269731fd8524f6c5789145b4c2ca6784865aa217d6991d4382
                                                                                                                                                                                                                      • Instruction ID: 6bf05ac58c801e96920cb1ced6f41bb2e9421106093e26ce737e815765554830
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e0fb0f85eca920269731fd8524f6c5789145b4c2ca6784865aa217d6991d4382
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BAF090303002018BC609E72AE85096E7BD7EFC9210750592CC50E9BB40EF70ED0B87E5
                                                                                                                                                                                                                      Function 06A76EA0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 812d44c9b86153eb4e3810141dba45a00d0ecf94aa2ae4b9b2f66f47c9a7155e
                                                                                                                                                                                                                      • Instruction ID: 2deb1294c766d48179b2c846593c57ff9909ae9ad0a5c46e21cc38f049bb5daf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 812d44c9b86153eb4e3810141dba45a00d0ecf94aa2ae4b9b2f66f47c9a7155e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 78F012722081E83F8B554E9A5C10CFB7FEDDA8E161B084156FE99D2241C429C921ABB0
                                                                                                                                                                                                                      Function 06A7ACB8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 38ffefbf3b047d8ebf2cc92eb58712d618fae80ae698d6c5fd762fb987bbcdb2
                                                                                                                                                                                                                      • Instruction ID: 7a280fd320cf9b8a5d85c775904585fe2911cee9ecf63ef66a3529ca1f93edbe
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 38ffefbf3b047d8ebf2cc92eb58712d618fae80ae698d6c5fd762fb987bbcdb2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0EF05972309190AFC71227789C240AD3FB5DEC625134800DFD686CF351DE944502C3E5
                                                                                                                                                                                                                      Function 06A7ADE9 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 19b744905f059a83dd817aa32cbc13d17a1548615cbca405882ca53265b61941
                                                                                                                                                                                                                      • Instruction ID: d7a77ce12034b60414865e285a0f615b562cbdfa7a90e10e8edcfdf61e8502ad
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 19b744905f059a83dd817aa32cbc13d17a1548615cbca405882ca53265b61941
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CCF0A731205212AFC3503B66A89869B7FEBEFCA714B04446DF10ED7342CE751C4987B5
                                                                                                                                                                                                                      Function 06A767C8 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 89c8e6b7abce4ca84ab8ba310034b22167a56ab4a381e5a838d9d0d8e0d1275a
                                                                                                                                                                                                                      • Instruction ID: 073e3add9b8a02dfbe0f8641dd65140f96b9979f6dc80885a1ce6e5edd75bbc1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 89c8e6b7abce4ca84ab8ba310034b22167a56ab4a381e5a838d9d0d8e0d1275a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 46F0BE31B407019FDB209BA8AD40F947BE2AF82721F14D266E254CF5E2DBB1D8469B84
                                                                                                                                                                                                                      Function 06A78341 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: dfbc6f4c91dba57f3762786209d1431a7aa9a9d1dd497d595e4874120a024870
                                                                                                                                                                                                                      • Instruction ID: 1c2f1766f40b222afe3bd91cb32d30b8bb91db9b2a66fad8bad87fcbea7bfbff
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dfbc6f4c91dba57f3762786209d1431a7aa9a9d1dd497d595e4874120a024870
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B3F0A072F051155BCF10DAACAD986FEBBAAAB845617084037EA14D3100FB34881983A0
                                                                                                                                                                                                                      Function 06A78FC0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3c69ceef8aef2dc65bf399543cf764c80d707dd0bf2839ec94ed872ccc2bdd83
                                                                                                                                                                                                                      • Instruction ID: 5f6439cd21db090e20af4c5f6e1f9597a45cf32a90e3515117034b3cf355b280
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3c69ceef8aef2dc65bf399543cf764c80d707dd0bf2839ec94ed872ccc2bdd83
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B1F0CDB1C09149DFDB00EFA0C8191AEBFB0EF5A201F0041EAE842EB350E6394A01CB50
                                                                                                                                                                                                                      Function 06A7B368 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 99e04d2213a77f5c0dfbf578b8b5fc8372cc740657ddde4fea4db5377925ebb0
                                                                                                                                                                                                                      • Instruction ID: a6daebba7a3f0ea7242de93c5a707aa4cc3f722910c4c498b485798f973e1d1b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 99e04d2213a77f5c0dfbf578b8b5fc8372cc740657ddde4fea4db5377925ebb0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D5F03C74E0120AEFCB08EFB9E84465C7BB6FB85205B1045ADD509E7310DF341E44CBA5
                                                                                                                                                                                                                      Function 06A7C110 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 686d515d15bd4e8fcb2180a83091988f4690283c600fe610912bf5ed7febbcb2
                                                                                                                                                                                                                      • Instruction ID: e9065399646cef5d569efb9e2ac662b5942e8cf751e033e706248f9a13b84a01
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 686d515d15bd4e8fcb2180a83091988f4690283c600fe610912bf5ed7febbcb2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 33F0B4302057918FC312E729E80879F7FE7DFC1304F04056DE28687641DBE5680587A5
                                                                                                                                                                                                                      Function 06A7C170 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4ca57e2b26e1619c3d77f30ae5dd8993870066d1cc6dca6670ecf1d283db3189
                                                                                                                                                                                                                      • Instruction ID: de0671e9c20c033ec97c3d0ff1e253e1a7555fa4e8b5c8e979bdea950663b91e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4ca57e2b26e1619c3d77f30ae5dd8993870066d1cc6dca6670ecf1d283db3189
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C2F0AF34500B069FD725DF66E408612BBF6FF88311B108A2EE88A82A00DB70A585CF95
                                                                                                                                                                                                                      Function 06A7ADF8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 45d2a54898eb06b0d80644085dab09b1afa89621365c2aa05f52f261a8d6d660
                                                                                                                                                                                                                      • Instruction ID: c6921ec50bc166025c3e86309b3e3b321c73bd1ef35b117e5733cd12ed728dab
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 45d2a54898eb06b0d80644085dab09b1afa89621365c2aa05f52f261a8d6d660
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DAE09231200112ABC3143B9AA888A9E7ADFEBC9355B00442CE20EC3341CEB1180587B5
                                                                                                                                                                                                                      Function 06A7C180 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6f2e251a6e19a6ba94fdeb46d018d4087f83877220fa9fe0282209df96b512fc
                                                                                                                                                                                                                      • Instruction ID: e0b220a39c0829c8a63e7498d9421aebbebbaec4d411b8c957bb81f645bac68f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6f2e251a6e19a6ba94fdeb46d018d4087f83877220fa9fe0282209df96b512fc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B9F09034500B059FD715DF66E408512BBF6FB88311700C62EE54A82A10DB70A549CF95
                                                                                                                                                                                                                      Function 06A7B500 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: d754a95c78436e92eabcdc3539bc0b3bf87ebfae05c0869329de07a9a8d4827a
                                                                                                                                                                                                                      • Instruction ID: 17bb89496630c3e1fd1e2b175f2d6920af444a0ab45952a75a76bf405e8f6285
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d754a95c78436e92eabcdc3539bc0b3bf87ebfae05c0869329de07a9a8d4827a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C8F01535D0520DEFCB01DFB4E9488CDBFB9EB44200F1042A6A805E2240EA315B45CBA1
                                                                                                                                                                                                                      Function 06A7C120 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7cef579192a3bf5d6974f0b8cced26e9e2959993cf66da9b48367b8ce5757129
                                                                                                                                                                                                                      • Instruction ID: 43566900333bbeee9a6607dd20a6c3c34c0f80274e69150bc17e67325f30f1b8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7cef579192a3bf5d6974f0b8cced26e9e2959993cf66da9b48367b8ce5757129
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A5E030302047568FC716E729E80879E7FE6DBC5614F04052DD24A87741CBA5A80587A5
                                                                                                                                                                                                                      Function 06A75698 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a30bd35ec7137f061463956a1a0cc0aa8e9a0baad2abb657a16212b6885d9380
                                                                                                                                                                                                                      • Instruction ID: 79dc8cfbf416b0792f7cd1f42ee2b41a3c66fc39e1dd2e9ec83d16bde523be94
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a30bd35ec7137f061463956a1a0cc0aa8e9a0baad2abb657a16212b6885d9380
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 63E048B350C3509FD705DB20FC5489A77A9DFA1310B15DC6EE4418B541EB32E851CBA5
                                                                                                                                                                                                                      Function 06A7E280 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: dd7c917112dbe54c4e6110e4dc914c8eb0cbdfa9b7be4ad88f4fac0426af163d
                                                                                                                                                                                                                      • Instruction ID: 6de1b196352cc8f65cfdb6266c872d94f3981fa6e458e57d1173b7e27fa05507
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dd7c917112dbe54c4e6110e4dc914c8eb0cbdfa9b7be4ad88f4fac0426af163d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 68E02033D012514FD745A312BD019443F62E796201F031146D80C5B6B1CB780D8BCBF2
                                                                                                                                                                                                                      Function 06A7E1FF Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 066582ae25d568457ad494e1b90f9355c035d4748a85e46b3213cecdba52c94b
                                                                                                                                                                                                                      • Instruction ID: 30ae198c9b2b2f3743f8b13c65151667b8b17e7c9a2f535638ce80ced10a20ce
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 066582ae25d568457ad494e1b90f9355c035d4748a85e46b3213cecdba52c94b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D7E0D872909209EFCB01DB64AC1089D7BB2DB8210072042DAD409E3290E5300F158761
                                                                                                                                                                                                                      Function 06A7CE88 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f600d6ffe1c1346dfe82f30930888603bf7e19bf11dd8ba8c23127d70125d0eb
                                                                                                                                                                                                                      • Instruction ID: 1ddc25e1d03915f02e51c88d0b14397d841e1d94d005e3ba9327743ec202004a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f600d6ffe1c1346dfe82f30930888603bf7e19bf11dd8ba8c23127d70125d0eb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3BE08675905206EFDB619724F409B997BA6EB41311F00001CED4A97B00DB745CC287A6
                                                                                                                                                                                                                      Function 06A7AC80 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3548fc7776166345eb8927b7f82f0212fdf5578312b20c44a1cd20439e09e1d2
                                                                                                                                                                                                                      • Instruction ID: 0568067d645e378950d70a20ab9de55b0bf65929aac343336e3846c2cf2fcf7a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3548fc7776166345eb8927b7f82f0212fdf5578312b20c44a1cd20439e09e1d2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A5D05B313001159786153769B4584AE7BABEBC5661305002EE70FCF340CEA51D0587D5
                                                                                                                                                                                                                      Function 06A7CC38 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9aa93ba6abfe4e3bd840c378e95cdd63232056765abb32ce3f1a9f816ca80847
                                                                                                                                                                                                                      • Instruction ID: 3673010c55cf55a32941356e06aace1c10593b189f266d55d419225b7da2b9eb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9aa93ba6abfe4e3bd840c378e95cdd63232056765abb32ce3f1a9f816ca80847
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A8E08C33A002128FDB51EF0AF800F8A77A1EB85662F004228D04997704CB391C87CFA1
                                                                                                                                                                                                                      Function 06A7B510 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 38d2d4a7a9b9dd2e7cfbbcc21c16b7a857f02e186af29fe34a55a9e819cd974e
                                                                                                                                                                                                                      • Instruction ID: e9d5f7135c5f99ab958b95696acf1ddb003c8f2ff31fdeaffdb1ccf7279b7b2f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 38d2d4a7a9b9dd2e7cfbbcc21c16b7a857f02e186af29fe34a55a9e819cd974e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E9E09275D0020DEFCB40DFE4E9448DDBBB9EB48200F1082AAD909A3200EB306B55DF91
                                                                                                                                                                                                                      Function 06A7E210 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ac0cc12f16254e33bcf98f6547bf1fa902eee7f792e707766c6bba1b02e2d182
                                                                                                                                                                                                                      • Instruction ID: b977ac9efc612863aaa565cc9b7dd502980d58d49daee754cabbf4d091f46fae
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ac0cc12f16254e33bcf98f6547bf1fa902eee7f792e707766c6bba1b02e2d182
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AED05E72E0020DFFCB40EFA8E90095DBBBAEB84204B1045ADD50DE3300EA712F049BA1
                                                                                                                                                                                                                      Function 06A7E8F8 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 25000e3d536dc692f84bb0ce1fbe7c14c5ae6dfd50f7d1b89f1e102fa45cdb49
                                                                                                                                                                                                                      • Instruction ID: 4579d012bea10b6108768425fcf3a0b59bbc220a0fdc9a2500923b9895f5bf35
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 25000e3d536dc692f84bb0ce1fbe7c14c5ae6dfd50f7d1b89f1e102fa45cdb49
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 27D05239210208EFC740AF48C881B427BF8BF48B00F10808CFA804B621CB32A860EF90
                                                                                                                                                                                                                      Function 06A7F8EB Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3a774ffdf800575b07326d51594cd4baeb7662e574f9d4ef568cc91c4364d2da
                                                                                                                                                                                                                      • Instruction ID: b0cb1a7f43499140d2ab43c36dfc619d8baa979b849f9c1ebaee152f4f7c1543
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3a774ffdf800575b07326d51594cd4baeb7662e574f9d4ef568cc91c4364d2da
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5AC012727400200B0A89B66CB4200AD76DBA3C81A3385002FEA0ED3348CD718C868BA5
                                                                                                                                                                                                                      Function 06A73721 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c36b4146de38ceb4a7b1825b63b0168f0836480268a72ff2eb362ac2412fbdb4
                                                                                                                                                                                                                      • Instruction ID: bbb1ea712d2e3fe19de860852e1894be955650bcbdb8e01e504f0e26592f67ce
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c36b4146de38ceb4a7b1825b63b0168f0836480268a72ff2eb362ac2412fbdb4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F7C09B9650F3C15FD30617601C118F729765FE764031F82D355A3D7B93DD14052482F6
                                                                                                                                                                                                                      Function 06A7DFD1 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1d8ec5a98d17b66ab8f4203e6fc4261ffa61f9d147be3e2d75413c28fd88713d
                                                                                                                                                                                                                      • Instruction ID: 85f67cc4631b51dd7e0cdcde6aa6ec4955c7c7d84e5316fa5e36707ec932f92f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1d8ec5a98d17b66ab8f4203e6fc4261ffa61f9d147be3e2d75413c28fd88713d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E7C09B3658F7D45FDF0217309C0D4857E56AF9271071500C6A3418E463E7620005CBA1

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 06A76FE8 Relevance: .8, Instructions: 787COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 91b1d67b3dddb282fd89078d69e0e9d8fc4a3f6c89f712ed4c22cdc1119bd1f7
                                                                                                                                                                                                                      • Instruction ID: 1347b1525da7c6ccb20629d120b093d5a8fa5ba817ab8793539d378d622c1332
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 91b1d67b3dddb282fd89078d69e0e9d8fc4a3f6c89f712ed4c22cdc1119bd1f7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5D62FCB06002019FE788DF69D85875A7AD6EF84308F64C55CC10E9F392DFBAD90B8B95
                                                                                                                                                                                                                      Function 06A76FF8 Relevance: .8, Instructions: 780COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2324496108.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6a70000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 79054e0d4e65f435236e31298ca9c4d86e7d11e932f3e01de7e19dbe514cde09
                                                                                                                                                                                                                      • Instruction ID: 59e1211bd61aba2e03fde06483afd989e3fbb2626bf61030d59be67233fff798
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 79054e0d4e65f435236e31298ca9c4d86e7d11e932f3e01de7e19dbe514cde09
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 07620CB06002019FE788DF69D85875A7AD6EF84308F64C55CC10E9F392DFBAD90B8B95
                                                                                                                                                                                                                      Function 017DDC74 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2320063609.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_17d0000_kYpONUhAR5.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9ba16c5e87df82d0a11ec00da1144476aa3c6c89b53a5c67e6c1abb4af4b4281
                                                                                                                                                                                                                      • Instruction ID: 86bad7f9d0ab523b8350de7abe1933aa5a145c52083b294fc11db1853dd8890e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9ba16c5e87df82d0a11ec00da1144476aa3c6c89b53a5c67e6c1abb4af4b4281
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 38A15032E0021A8FCF15DFB9C8445DEFBB2FF84300B15456AE906AB265DB71E956CB90