Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO-1BdyzarvrjUANe0.exe

Overview

General Information

Sample name:PO-1BdyzarvrjUANe0.exe
Analysis ID:1539389
MD5:fac116ca092033649c6a8ae32e000508
SHA1:5139cdc83309a71256413e6e9948098deeb4f144
SHA256:dd7864aca2acdf7738015e6568b6d6fe2f425137c81dcfb19ba491852678b4a7
Tags:exeredlineRedLineStealeruser-malwarelabnet
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • PO-1BdyzarvrjUANe0.exe (PID: 4364 cmdline: "C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe" MD5: FAC116CA092033649C6A8AE32E000508)
    • PO-1BdyzarvrjUANe0.exe (PID: 1732 cmdline: "C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe" MD5: FAC116CA092033649C6A8AE32E000508)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
{"C2 url": ["188.190.10.19:1912"], "Bot Id": "FROSHLOG", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000002.00000002.1988809355.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.1762571849.00000000040C9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.1762571849.00000000041E6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000000.00000002.1762571849.000000000419B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 6 entries
                SourceRuleDescriptionAuthorStrings
                0.2.PO-1BdyzarvrjUANe0.exe.41a3f78.3.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.PO-1BdyzarvrjUANe0.exe.4158d58.5.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.PO-1BdyzarvrjUANe0.exe.41a3f78.3.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      2.2.PO-1BdyzarvrjUANe0.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        0.2.PO-1BdyzarvrjUANe0.exe.4158d58.5.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                          No Sigma rule has matched
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-10-22T16:11:14.379136+020020432341A Network Trojan was detected188.190.10.191912192.168.2.449733TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-10-22T16:11:14.127926+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          2024-10-22T16:11:19.480034+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          2024-10-22T16:11:20.682993+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          2024-10-22T16:11:20.981360+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          2024-10-22T16:11:21.563029+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          2024-10-22T16:11:21.838802+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          2024-10-22T16:11:22.271687+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          2024-10-22T16:11:22.686846+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          2024-10-22T16:11:22.692481+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          2024-10-22T16:11:23.634154+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          2024-10-22T16:11:23.890863+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          2024-10-22T16:11:24.194379+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          2024-10-22T16:11:24.239630+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          2024-10-22T16:11:24.538120+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          2024-10-22T16:11:28.068897+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          2024-10-22T16:11:28.381917+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          2024-10-22T16:11:33.171919+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          2024-10-22T16:11:33.752102+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          2024-10-22T16:11:33.998709+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          2024-10-22T16:11:34.246772+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          2024-10-22T16:11:34.648432+020020432311A Network Trojan was detected192.168.2.449733188.190.10.191912TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-10-22T16:11:20.689742+020020460561A Network Trojan was detected188.190.10.191912192.168.2.449733TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-10-22T16:11:14.127926+020020460451A Network Trojan was detected192.168.2.449733188.190.10.191912TCP

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Source: PO-1BdyzarvrjUANe0.exeAvira: detected
                          Source: 2.2.PO-1BdyzarvrjUANe0.exe.400000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["188.190.10.19:1912"], "Bot Id": "FROSHLOG", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                          Source: PO-1BdyzarvrjUANe0.exeReversingLabs: Detection: 63%
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Source: PO-1BdyzarvrjUANe0.exeJoe Sandbox ML: detected
                          Source: PO-1BdyzarvrjUANe0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: PO-1BdyzarvrjUANe0.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 4x nop then jmp 06C459FCh2_2_06C45738
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 4x nop then jmp 06C49160h2_2_06C48C68
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 4x nop then jmp 06C461FFh2_2_06C45AA0
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 4x nop then jmp 06C43976h2_2_06C43955
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 4x nop then jmp 07215BE2h2_2_072157C0
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 4x nop then jmp 07216062h2_2_072157C0
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 4x nop then jmp 07214DB1h2_2_07214D99

                          Networking

                          barindex
                          Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49733 -> 188.190.10.19:1912
                          Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49733 -> 188.190.10.19:1912
                          Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 188.190.10.19:1912 -> 192.168.2.4:49733
                          Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 188.190.10.19:1912 -> 192.168.2.4:49733
                          Source: Malware configuration extractorURLs: 188.190.10.19:1912
                          Source: global trafficTCP traffic: 192.168.2.4:49733 -> 188.190.10.19:1912
                          Source: Joe Sandbox ViewASN Name: ASINTTELUA ASINTTELUA
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.000000000304C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000003212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000003223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000003227000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000003227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000003223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765357290.0000000005A29000.00000004.00000020.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765499513.0000000005A64000.00000004.00000020.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1762571849.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1762571849.00000000041E6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1762571849.000000000419B000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1988809355.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_078611E00_2_078611E0
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_07854D3B0_2_07854D3B
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_02EB3E6C0_2_02EB3E6C
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_02EBE06C0_2_02EBE06C
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_02EBCA700_2_02EBCA70
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_02EB70E80_2_02EB70E8
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_0563A8E80_2_0563A8E8
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_0563A8D80_2_0563A8D8
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_09038D980_2_09038D98
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_0903B1480_2_0903B148
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_09034A880_2_09034A88
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_09034AB00_2_09034AB0
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_09038D890_2_09038D89
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_09034ED90_2_09034ED9
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_09034EE80_2_09034EE8
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_090370000_2_09037000
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_090353110_2_09035311
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_090353200_2_09035320
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_090367180_2_09036718
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_090367280_2_09036728
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_014BDC742_2_014BDC74
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_06C423A02_2_06C423A0
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_06C41E302_2_06C41E30
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_06C47FB82_2_06C47FB8
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_06C42C9A2_2_06C42C9A
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_06C48C682_2_06C48C68
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_06C45AA02_2_06C45AA0
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_06C4BA482_2_06C4BA48
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_06C46A002_2_06C46A00
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_06C43A082_2_06C43A08
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_06C4A8F02_2_06C4A8F0
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_06C449282_2_06C44928
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_06C4020F2_2_06C4020F
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_06C402202_2_06C40220
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_06C423932_2_06C42393
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_06C47FA82_2_06C47FA8
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_06C439F82_2_06C439F8
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_072157C02_2_072157C0
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_07213E702_2_07213E70
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_072125982_2_07212598
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_072144B02_2_072144B0
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_07217C882_2_07217C88
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_07212CE22_2_07212CE2
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_072151202_2_07215120
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_072157AF2_2_072157AF
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_07213E602_2_07213E60
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_0721143F2_2_0721143F
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_072114882_2_07211488
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_07211B802_2_07211B80
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_07211B902_2_07211B90
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_0721510F2_2_0721510F
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_072109B02_2_072109B0
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_072101D82_2_072101D8
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_072110082_2_07211008
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1767570025.0000000007AF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PO-1BdyzarvrjUANe0.exe
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000000.1731733536.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameegW.exe6 vs PO-1BdyzarvrjUANe0.exe
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1762571849.00000000041E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs PO-1BdyzarvrjUANe0.exe
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1762571849.0000000004231000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs PO-1BdyzarvrjUANe0.exe
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1762571849.0000000004231000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PO-1BdyzarvrjUANe0.exe
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1762571849.000000000419B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs PO-1BdyzarvrjUANe0.exe
                          Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1761067913.000000000136E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO-1BdyzarvrjUANe0.exe
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs PO-1BdyzarvrjUANe0.exe
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1988809355.0000000000446000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs PO-1BdyzarvrjUANe0.exe
                          Source: PO-1BdyzarvrjUANe0.exeBinary or memory string: OriginalFilenameegW.exe6 vs PO-1BdyzarvrjUANe0.exe
                          Source: PO-1BdyzarvrjUANe0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: PO-1BdyzarvrjUANe0.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, rZkRXysfeXVYoA0RyF.csSecurity API names: _0020.SetAccessControl
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, rZkRXysfeXVYoA0RyF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, rZkRXysfeXVYoA0RyF.csSecurity API names: _0020.AddAccessRule
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, GmKRKQHfmJtcXPTxir.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, rZkRXysfeXVYoA0RyF.csSecurity API names: _0020.SetAccessControl
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, rZkRXysfeXVYoA0RyF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, rZkRXysfeXVYoA0RyF.csSecurity API names: _0020.AddAccessRule
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, GmKRKQHfmJtcXPTxir.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, rZkRXysfeXVYoA0RyF.csSecurity API names: _0020.SetAccessControl
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, rZkRXysfeXVYoA0RyF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, rZkRXysfeXVYoA0RyF.csSecurity API names: _0020.AddAccessRule
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, GmKRKQHfmJtcXPTxir.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@0/1
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-1BdyzarvrjUANe0.exe.logJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeMutant created: NULL
                          Source: PO-1BdyzarvrjUANe0.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: PO-1BdyzarvrjUANe0.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.000000000335A000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000003371000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000003402000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000033EB000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.000000000337F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                          Source: PO-1BdyzarvrjUANe0.exeReversingLabs: Detection: 63%
                          Source: unknownProcess created: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe "C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe"
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess created: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe "C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe"
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess created: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe "C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: textshaping.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: iconcodecservice.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                          Source: PO-1BdyzarvrjUANe0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: PO-1BdyzarvrjUANe0.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                          Data Obfuscation

                          barindex
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, rZkRXysfeXVYoA0RyF.cs.Net Code: cO9dfS0OgE System.Reflection.Assembly.Load(byte[])
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, rZkRXysfeXVYoA0RyF.cs.Net Code: cO9dfS0OgE System.Reflection.Assembly.Load(byte[])
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, rZkRXysfeXVYoA0RyF.cs.Net Code: cO9dfS0OgE System.Reflection.Assembly.Load(byte[])
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_0563C45F push cs; iretd 0_2_0563C463
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_0563264A push esp; retf 0_2_05632651
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_05632648 pushad ; retf 0_2_05632649
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_05632A5D push eax; iretd 0_2_05632A5E
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_09030526 push ss; ret 0_2_09030527
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 0_2_090304E7 push ebp; ret 0_2_090304E8
                          Source: PO-1BdyzarvrjUANe0.exeStatic PE information: section name: .text entropy: 7.838098776126378
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, rZkRXysfeXVYoA0RyF.csHigh entropy of concatenated method names: 'OdAya5Xty1', 'hTdyLF1FPF', 'jbGyPKBMOM', 'hACyCIKyPw', 'AIHyrmRrFN', 'EmhyQQvrg9', 'A4DylgevBB', 'JIUyJK2FUg', 'F5TyMe6Tho', 'CsAy4dCL9r'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, seuy09AN5b7faHphXp.csHigh entropy of concatenated method names: 'fbpf9MBjV', 'l1qhVBe8K', 'uE5FIErJw', 'zpiNwPTkN', 'xvX9QPP1X', 'BDyGGYYrR', 'k2w7ALSAgd8Mmaqpss', 'nn9HuA3TE0U4RLyxqp', 'LreHt2RXC', 'aATWvc8lm'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, GjQ6XwkJjat9GxPDcu.csHigh entropy of concatenated method names: 'RB4es3gYYM', 'NwtetTOFgU', 'AyRHOM8gQg', 'mWeHIf1OUn', 'IpbeB1mis4', 'y19e7r8JMl', 'kn3ejKDaeQ', 'X0qegRsuK9', 'e0KeEEh1W5', 'oIGeY0Rsh2'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, JJKg8ebTUChCQXE5oX.csHigh entropy of concatenated method names: 'vhnr06OJvK', 'j6yrNHEyb3', 'UEMCiTeVTL', 'TclCk6H9SX', 'nQACRl7dKg', 'FcVCKTScn1', 'DHoC3SBukB', 'othC1G59ik', 'PPyCU1qTQi', 'xB7CSbhWw2'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, GmKRKQHfmJtcXPTxir.csHigh entropy of concatenated method names: 'qcMPgxnB26', 'aBXPETBsgh', 'XByPYmKH74', 'OpNP8Nq3RN', 'Y0IPVQKHdM', 'l4gPwgOfpG', 'bNbPpWkktb', 'tP8PskdE3q', 'drkPAuKSmE', 'UvuPt11LC1'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, OcxLs3zlQmvuaKcpmq.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hM9Z6bCfqD', 'W7PZv2yJYU', 'GXSZo8WPe4', 'LMZZeILXc9', 'md1ZHAnS8i', 'H5QZZ8VGfF', 'PdiZWl2jDU'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, p6xnyVPjFleaBgG9Ju.csHigh entropy of concatenated method names: 'euVHLXVKR1', 'lXrHPKpjLa', 'swkHC1Klyx', 'QTqHrVuW7Z', 'ykeHQCFxwM', 'BkcHlPbPJq', 'u6hHJD7nhE', 'pZOHMZPond', 'FWeH4HJJq4', 'yYKHc8HPFH'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, MWgFDSRB8wfb0WKC1k.csHigh entropy of concatenated method names: 'Dispose', 'O5PIAyxZjx', 'V5x2uunWEL', 'sTpxxZ2YCy', 'bXeItT9vij', 'IuVIzPG4Ft', 'ProcessDialogKey', 'tdA2OU7vtE', 'jnu2IsODYL', 'Rta227t265'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, amgQhAT7fPN3ud71RvY.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JlUWgHAAtT', 'Mj7WErHjuB', 'mFbWYoWvQm', 'jXJW8prIes', 'TtHWVtSQZv', 't2KWw4TQH2', 'j1dWp5QyTn'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, bw2npPvQrAROUjGtgC.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'AKN2AJqwlw', 'Yx82tfvSsf', 'JlX2zB1C9O', 'Bf4yOFTVVZ', 'WvByIgF7FP', 'sNTy2GpvRW', 'n5byyhddYF', 'qRgJOhjVJOFCbRmU8pb'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, FQ4Pw8O5w1fgK4LJ1T.csHigh entropy of concatenated method names: 'N1sChtn6Gp', 'jgyCFqQgTa', 'HicC59yIkc', 'ufKC9RKXAd', 'BYuCvbm0rx', 'L1NCoolabg', 'wJyCe9n3vJ', 'ySrCHfltSj', 'h6PCZPuFAB', 'PHOCWVjgJ7'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, x8EQAbobrC1c1P7M6y.csHigh entropy of concatenated method names: 'IHYHDIsMHw', 'FUtHu1cI4M', 'VQvHi9SKh1', 'xAdHk1eZQp', 'S6aHglQNl6', 'L5ZHRw6SE6', 'Next', 'Next', 'Next', 'NextBytes'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, t7UJ2KQ1IBo4N52oUu.csHigh entropy of concatenated method names: 'nojIldKFaK', 'QsqIJhJQOn', 'JtVI4sE4Xw', 'JaMIcCOVY7', 'ihOIvJxkBO', 'nF6IoiecPS', 'OhkBVqx6qR4Lkfjvoo', 'Ex8QZkDIV3MfpbJh2X', 'qh0IINUTRW', 'iAgIyTbiIx'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, d4egtNJefeVgDQmw9Y.csHigh entropy of concatenated method names: 'vInQaGxjvb', 'y4dQPLQjyb', 'sIUQrV5pIT', 'BHyQlV3oMb', 'gt2QJKrNYX', 'W98rVKYyPf', 'I4JrwI967W', 'KUErpeqcnn', 'uaPrsrvhPI', 'XH3rAxeUc2'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, j9HJJUeI9tO23YHRcJ.csHigh entropy of concatenated method names: 'ToString', 'rWYoBQc5sV', 'S07ouIgNoW', 'BehoiH2cMg', 'VjrokF7dUT', 'r30oRUpFG3', 'LnMoKijCeF', 'OHKo3iNYfq', 'Fxmo10x1QA', 'm5xoUDWdrp'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, YPFVHDdxNPJPKBZRSO.csHigh entropy of concatenated method names: 'afRlqtAohS', 'eaWlXUjKvC', 'oKulfv9svr', 'psLlhBfMCQ', 'auSl0CeH0F', 'qAslFxY1wk', 'RwhlN8J9ch', 'wgCl5Dutwl', 'HKOl9VDWLs', 'DjqlGDmhVs'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, woU1cATS60TfWJL5KwE.csHigh entropy of concatenated method names: 'LPMZqlVoYe', 'mVgZXi6XHl', 'PYvZfC4r2a', 'E97Zh4gQaV', 'PXeZ0Fsy6L', 'rFjZFXRYWi', 'GGOZNR0Ofw', 'p6RZ5xtAPr', 'i8KZ9icNep', 'WieZGM5NSb'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, hBgXbn67oTOR8K1VGC.csHigh entropy of concatenated method names: 'y83652ApkE', 'VZx69rpyuc', 'GDt6D5apva', 'AUw6u3D5wD', 'fb66klOAtO', 'xcX6RdJkw0', 'IcY63eou9R', 'PNo61jX9uM', 'iYS6SEOROs', 'q7D6Bha5rM'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, lwSFEgGO8fQVunmcX5.csHigh entropy of concatenated method names: 'RE7ZI39oy3', 'iVDZymCg1J', 'aWKZdNNhP7', 'ndVZLnZnrN', 'c43ZPcrvx9', 'WZpZrSvqnp', 'uYFZQI7jMC', 'TmkHpSeHna', 'AYSHs8YAPu', 'fOWHA5A4RP'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, aQsUnflvEEP8Xc3DWo.csHigh entropy of concatenated method names: 'UY8vSFCh0x', 'VpZv762IZK', 'TBSvgxtxtI', 'dNEvE4njyP', 'tsovuig9qS', 'TrZviFtcak', 't7hvk70fRC', 'ljTvR4JK69', 'G3tvKGaOIg', 'x8Bv3A0jml'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, rZkRXysfeXVYoA0RyF.csHigh entropy of concatenated method names: 'OdAya5Xty1', 'hTdyLF1FPF', 'jbGyPKBMOM', 'hACyCIKyPw', 'AIHyrmRrFN', 'EmhyQQvrg9', 'A4DylgevBB', 'JIUyJK2FUg', 'F5TyMe6Tho', 'CsAy4dCL9r'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, seuy09AN5b7faHphXp.csHigh entropy of concatenated method names: 'fbpf9MBjV', 'l1qhVBe8K', 'uE5FIErJw', 'zpiNwPTkN', 'xvX9QPP1X', 'BDyGGYYrR', 'k2w7ALSAgd8Mmaqpss', 'nn9HuA3TE0U4RLyxqp', 'LreHt2RXC', 'aATWvc8lm'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, GjQ6XwkJjat9GxPDcu.csHigh entropy of concatenated method names: 'RB4es3gYYM', 'NwtetTOFgU', 'AyRHOM8gQg', 'mWeHIf1OUn', 'IpbeB1mis4', 'y19e7r8JMl', 'kn3ejKDaeQ', 'X0qegRsuK9', 'e0KeEEh1W5', 'oIGeY0Rsh2'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, JJKg8ebTUChCQXE5oX.csHigh entropy of concatenated method names: 'vhnr06OJvK', 'j6yrNHEyb3', 'UEMCiTeVTL', 'TclCk6H9SX', 'nQACRl7dKg', 'FcVCKTScn1', 'DHoC3SBukB', 'othC1G59ik', 'PPyCU1qTQi', 'xB7CSbhWw2'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, GmKRKQHfmJtcXPTxir.csHigh entropy of concatenated method names: 'qcMPgxnB26', 'aBXPETBsgh', 'XByPYmKH74', 'OpNP8Nq3RN', 'Y0IPVQKHdM', 'l4gPwgOfpG', 'bNbPpWkktb', 'tP8PskdE3q', 'drkPAuKSmE', 'UvuPt11LC1'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, OcxLs3zlQmvuaKcpmq.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hM9Z6bCfqD', 'W7PZv2yJYU', 'GXSZo8WPe4', 'LMZZeILXc9', 'md1ZHAnS8i', 'H5QZZ8VGfF', 'PdiZWl2jDU'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, p6xnyVPjFleaBgG9Ju.csHigh entropy of concatenated method names: 'euVHLXVKR1', 'lXrHPKpjLa', 'swkHC1Klyx', 'QTqHrVuW7Z', 'ykeHQCFxwM', 'BkcHlPbPJq', 'u6hHJD7nhE', 'pZOHMZPond', 'FWeH4HJJq4', 'yYKHc8HPFH'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, MWgFDSRB8wfb0WKC1k.csHigh entropy of concatenated method names: 'Dispose', 'O5PIAyxZjx', 'V5x2uunWEL', 'sTpxxZ2YCy', 'bXeItT9vij', 'IuVIzPG4Ft', 'ProcessDialogKey', 'tdA2OU7vtE', 'jnu2IsODYL', 'Rta227t265'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, amgQhAT7fPN3ud71RvY.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JlUWgHAAtT', 'Mj7WErHjuB', 'mFbWYoWvQm', 'jXJW8prIes', 'TtHWVtSQZv', 't2KWw4TQH2', 'j1dWp5QyTn'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, bw2npPvQrAROUjGtgC.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'AKN2AJqwlw', 'Yx82tfvSsf', 'JlX2zB1C9O', 'Bf4yOFTVVZ', 'WvByIgF7FP', 'sNTy2GpvRW', 'n5byyhddYF', 'qRgJOhjVJOFCbRmU8pb'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, FQ4Pw8O5w1fgK4LJ1T.csHigh entropy of concatenated method names: 'N1sChtn6Gp', 'jgyCFqQgTa', 'HicC59yIkc', 'ufKC9RKXAd', 'BYuCvbm0rx', 'L1NCoolabg', 'wJyCe9n3vJ', 'ySrCHfltSj', 'h6PCZPuFAB', 'PHOCWVjgJ7'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, x8EQAbobrC1c1P7M6y.csHigh entropy of concatenated method names: 'IHYHDIsMHw', 'FUtHu1cI4M', 'VQvHi9SKh1', 'xAdHk1eZQp', 'S6aHglQNl6', 'L5ZHRw6SE6', 'Next', 'Next', 'Next', 'NextBytes'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, t7UJ2KQ1IBo4N52oUu.csHigh entropy of concatenated method names: 'nojIldKFaK', 'QsqIJhJQOn', 'JtVI4sE4Xw', 'JaMIcCOVY7', 'ihOIvJxkBO', 'nF6IoiecPS', 'OhkBVqx6qR4Lkfjvoo', 'Ex8QZkDIV3MfpbJh2X', 'qh0IINUTRW', 'iAgIyTbiIx'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, d4egtNJefeVgDQmw9Y.csHigh entropy of concatenated method names: 'vInQaGxjvb', 'y4dQPLQjyb', 'sIUQrV5pIT', 'BHyQlV3oMb', 'gt2QJKrNYX', 'W98rVKYyPf', 'I4JrwI967W', 'KUErpeqcnn', 'uaPrsrvhPI', 'XH3rAxeUc2'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, j9HJJUeI9tO23YHRcJ.csHigh entropy of concatenated method names: 'ToString', 'rWYoBQc5sV', 'S07ouIgNoW', 'BehoiH2cMg', 'VjrokF7dUT', 'r30oRUpFG3', 'LnMoKijCeF', 'OHKo3iNYfq', 'Fxmo10x1QA', 'm5xoUDWdrp'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, YPFVHDdxNPJPKBZRSO.csHigh entropy of concatenated method names: 'afRlqtAohS', 'eaWlXUjKvC', 'oKulfv9svr', 'psLlhBfMCQ', 'auSl0CeH0F', 'qAslFxY1wk', 'RwhlN8J9ch', 'wgCl5Dutwl', 'HKOl9VDWLs', 'DjqlGDmhVs'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, woU1cATS60TfWJL5KwE.csHigh entropy of concatenated method names: 'LPMZqlVoYe', 'mVgZXi6XHl', 'PYvZfC4r2a', 'E97Zh4gQaV', 'PXeZ0Fsy6L', 'rFjZFXRYWi', 'GGOZNR0Ofw', 'p6RZ5xtAPr', 'i8KZ9icNep', 'WieZGM5NSb'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, hBgXbn67oTOR8K1VGC.csHigh entropy of concatenated method names: 'y83652ApkE', 'VZx69rpyuc', 'GDt6D5apva', 'AUw6u3D5wD', 'fb66klOAtO', 'xcX6RdJkw0', 'IcY63eou9R', 'PNo61jX9uM', 'iYS6SEOROs', 'q7D6Bha5rM'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, lwSFEgGO8fQVunmcX5.csHigh entropy of concatenated method names: 'RE7ZI39oy3', 'iVDZymCg1J', 'aWKZdNNhP7', 'ndVZLnZnrN', 'c43ZPcrvx9', 'WZpZrSvqnp', 'uYFZQI7jMC', 'TmkHpSeHna', 'AYSHs8YAPu', 'fOWHA5A4RP'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, aQsUnflvEEP8Xc3DWo.csHigh entropy of concatenated method names: 'UY8vSFCh0x', 'VpZv762IZK', 'TBSvgxtxtI', 'dNEvE4njyP', 'tsovuig9qS', 'TrZviFtcak', 't7hvk70fRC', 'ljTvR4JK69', 'G3tvKGaOIg', 'x8Bv3A0jml'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, rZkRXysfeXVYoA0RyF.csHigh entropy of concatenated method names: 'OdAya5Xty1', 'hTdyLF1FPF', 'jbGyPKBMOM', 'hACyCIKyPw', 'AIHyrmRrFN', 'EmhyQQvrg9', 'A4DylgevBB', 'JIUyJK2FUg', 'F5TyMe6Tho', 'CsAy4dCL9r'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, seuy09AN5b7faHphXp.csHigh entropy of concatenated method names: 'fbpf9MBjV', 'l1qhVBe8K', 'uE5FIErJw', 'zpiNwPTkN', 'xvX9QPP1X', 'BDyGGYYrR', 'k2w7ALSAgd8Mmaqpss', 'nn9HuA3TE0U4RLyxqp', 'LreHt2RXC', 'aATWvc8lm'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, GjQ6XwkJjat9GxPDcu.csHigh entropy of concatenated method names: 'RB4es3gYYM', 'NwtetTOFgU', 'AyRHOM8gQg', 'mWeHIf1OUn', 'IpbeB1mis4', 'y19e7r8JMl', 'kn3ejKDaeQ', 'X0qegRsuK9', 'e0KeEEh1W5', 'oIGeY0Rsh2'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, JJKg8ebTUChCQXE5oX.csHigh entropy of concatenated method names: 'vhnr06OJvK', 'j6yrNHEyb3', 'UEMCiTeVTL', 'TclCk6H9SX', 'nQACRl7dKg', 'FcVCKTScn1', 'DHoC3SBukB', 'othC1G59ik', 'PPyCU1qTQi', 'xB7CSbhWw2'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, GmKRKQHfmJtcXPTxir.csHigh entropy of concatenated method names: 'qcMPgxnB26', 'aBXPETBsgh', 'XByPYmKH74', 'OpNP8Nq3RN', 'Y0IPVQKHdM', 'l4gPwgOfpG', 'bNbPpWkktb', 'tP8PskdE3q', 'drkPAuKSmE', 'UvuPt11LC1'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, OcxLs3zlQmvuaKcpmq.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hM9Z6bCfqD', 'W7PZv2yJYU', 'GXSZo8WPe4', 'LMZZeILXc9', 'md1ZHAnS8i', 'H5QZZ8VGfF', 'PdiZWl2jDU'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, p6xnyVPjFleaBgG9Ju.csHigh entropy of concatenated method names: 'euVHLXVKR1', 'lXrHPKpjLa', 'swkHC1Klyx', 'QTqHrVuW7Z', 'ykeHQCFxwM', 'BkcHlPbPJq', 'u6hHJD7nhE', 'pZOHMZPond', 'FWeH4HJJq4', 'yYKHc8HPFH'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, MWgFDSRB8wfb0WKC1k.csHigh entropy of concatenated method names: 'Dispose', 'O5PIAyxZjx', 'V5x2uunWEL', 'sTpxxZ2YCy', 'bXeItT9vij', 'IuVIzPG4Ft', 'ProcessDialogKey', 'tdA2OU7vtE', 'jnu2IsODYL', 'Rta227t265'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, amgQhAT7fPN3ud71RvY.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JlUWgHAAtT', 'Mj7WErHjuB', 'mFbWYoWvQm', 'jXJW8prIes', 'TtHWVtSQZv', 't2KWw4TQH2', 'j1dWp5QyTn'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, bw2npPvQrAROUjGtgC.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'AKN2AJqwlw', 'Yx82tfvSsf', 'JlX2zB1C9O', 'Bf4yOFTVVZ', 'WvByIgF7FP', 'sNTy2GpvRW', 'n5byyhddYF', 'qRgJOhjVJOFCbRmU8pb'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, FQ4Pw8O5w1fgK4LJ1T.csHigh entropy of concatenated method names: 'N1sChtn6Gp', 'jgyCFqQgTa', 'HicC59yIkc', 'ufKC9RKXAd', 'BYuCvbm0rx', 'L1NCoolabg', 'wJyCe9n3vJ', 'ySrCHfltSj', 'h6PCZPuFAB', 'PHOCWVjgJ7'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, x8EQAbobrC1c1P7M6y.csHigh entropy of concatenated method names: 'IHYHDIsMHw', 'FUtHu1cI4M', 'VQvHi9SKh1', 'xAdHk1eZQp', 'S6aHglQNl6', 'L5ZHRw6SE6', 'Next', 'Next', 'Next', 'NextBytes'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, t7UJ2KQ1IBo4N52oUu.csHigh entropy of concatenated method names: 'nojIldKFaK', 'QsqIJhJQOn', 'JtVI4sE4Xw', 'JaMIcCOVY7', 'ihOIvJxkBO', 'nF6IoiecPS', 'OhkBVqx6qR4Lkfjvoo', 'Ex8QZkDIV3MfpbJh2X', 'qh0IINUTRW', 'iAgIyTbiIx'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, d4egtNJefeVgDQmw9Y.csHigh entropy of concatenated method names: 'vInQaGxjvb', 'y4dQPLQjyb', 'sIUQrV5pIT', 'BHyQlV3oMb', 'gt2QJKrNYX', 'W98rVKYyPf', 'I4JrwI967W', 'KUErpeqcnn', 'uaPrsrvhPI', 'XH3rAxeUc2'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, j9HJJUeI9tO23YHRcJ.csHigh entropy of concatenated method names: 'ToString', 'rWYoBQc5sV', 'S07ouIgNoW', 'BehoiH2cMg', 'VjrokF7dUT', 'r30oRUpFG3', 'LnMoKijCeF', 'OHKo3iNYfq', 'Fxmo10x1QA', 'm5xoUDWdrp'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, YPFVHDdxNPJPKBZRSO.csHigh entropy of concatenated method names: 'afRlqtAohS', 'eaWlXUjKvC', 'oKulfv9svr', 'psLlhBfMCQ', 'auSl0CeH0F', 'qAslFxY1wk', 'RwhlN8J9ch', 'wgCl5Dutwl', 'HKOl9VDWLs', 'DjqlGDmhVs'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, woU1cATS60TfWJL5KwE.csHigh entropy of concatenated method names: 'LPMZqlVoYe', 'mVgZXi6XHl', 'PYvZfC4r2a', 'E97Zh4gQaV', 'PXeZ0Fsy6L', 'rFjZFXRYWi', 'GGOZNR0Ofw', 'p6RZ5xtAPr', 'i8KZ9icNep', 'WieZGM5NSb'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, hBgXbn67oTOR8K1VGC.csHigh entropy of concatenated method names: 'y83652ApkE', 'VZx69rpyuc', 'GDt6D5apva', 'AUw6u3D5wD', 'fb66klOAtO', 'xcX6RdJkw0', 'IcY63eou9R', 'PNo61jX9uM', 'iYS6SEOROs', 'q7D6Bha5rM'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, lwSFEgGO8fQVunmcX5.csHigh entropy of concatenated method names: 'RE7ZI39oy3', 'iVDZymCg1J', 'aWKZdNNhP7', 'ndVZLnZnrN', 'c43ZPcrvx9', 'WZpZrSvqnp', 'uYFZQI7jMC', 'TmkHpSeHna', 'AYSHs8YAPu', 'fOWHA5A4RP'
                          Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, aQsUnflvEEP8Xc3DWo.csHigh entropy of concatenated method names: 'UY8vSFCh0x', 'VpZv762IZK', 'TBSvgxtxtI', 'dNEvE4njyP', 'tsovuig9qS', 'TrZviFtcak', 't7hvk70fRC', 'ljTvR4JK69', 'G3tvKGaOIg', 'x8Bv3A0jml'

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon3162.png
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Source: Yara matchFile source: Process Memory Space: PO-1BdyzarvrjUANe0.exe PID: 4364, type: MEMORYSTR
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeMemory allocated: 14C0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeMemory allocated: 30C0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeMemory allocated: 50C0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeMemory allocated: 9140000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeMemory allocated: A140000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeMemory allocated: A340000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeMemory allocated: B340000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeMemory allocated: 1470000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeMemory allocated: 2E30000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeMemory allocated: 14E0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeWindow / User API: threadDelayed 8590Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeWindow / User API: threadDelayed 1259Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe TID: 6208Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe TID: 4364Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1989254791.00000000011C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeCode function: 2_2_06C46A00 LdrInitializeThunk,2_2_06C46A00
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeMemory written: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe base: 400000 value starts with: 4D5AJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeProcess created: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe "C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.2011875810.0000000006EF6000.00000004.00000020.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.2009786488.00000000062A1000.00000004.00000020.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1989254791.00000000011C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                          Stealing of Sensitive Information

                          barindex
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 0.2.PO-1BdyzarvrjUANe0.exe.41a3f78.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.PO-1BdyzarvrjUANe0.exe.4158d58.5.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.PO-1BdyzarvrjUANe0.exe.41a3f78.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.PO-1BdyzarvrjUANe0.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.PO-1BdyzarvrjUANe0.exe.4158d58.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000002.00000002.1988809355.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1762571849.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1762571849.00000000041E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1762571849.000000000419B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: PO-1BdyzarvrjUANe0.exe PID: 4364, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: PO-1BdyzarvrjUANe0.exe PID: 1732, type: MEMORYSTR
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\walletsLRdq
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $dq1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.000000000304C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLRdq
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLRdq
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLRdq
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $dq%appdata%`,dqdC:\Users\user\AppData\Roaming`,dqdC:\Users\user\AppData\Roaming\Binance
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLRdq
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $dq&%localappdata%\Coinomi\Coinomi\walletsLRdqD
                          Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $dq5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                          Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                          Source: Yara matchFile source: 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: PO-1BdyzarvrjUANe0.exe PID: 1732, type: MEMORYSTR

                          Remote Access Functionality

                          barindex
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 0.2.PO-1BdyzarvrjUANe0.exe.41a3f78.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.PO-1BdyzarvrjUANe0.exe.4158d58.5.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.PO-1BdyzarvrjUANe0.exe.41a3f78.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.PO-1BdyzarvrjUANe0.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.PO-1BdyzarvrjUANe0.exe.4158d58.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000002.00000002.1988809355.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1762571849.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1762571849.00000000041E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1762571849.000000000419B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: PO-1BdyzarvrjUANe0.exe PID: 4364, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: PO-1BdyzarvrjUANe0.exe PID: 1732, type: MEMORYSTR
                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                          Windows Management Instrumentation
                          1
                          DLL Side-Loading
                          111
                          Process Injection
                          11
                          Masquerading
                          1
                          OS Credential Dumping
                          231
                          Security Software Discovery
                          Remote Services1
                          Archive Collected Data
                          1
                          Encrypted Channel
                          Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                          DLL Side-Loading
                          1
                          Disable or Modify Tools
                          LSASS Memory1
                          Process Discovery
                          Remote Desktop Protocol3
                          Data from Local System
                          1
                          Non-Standard Port
                          Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                          Virtualization/Sandbox Evasion
                          Security Account Manager241
                          Virtualization/Sandbox Evasion
                          SMB/Windows Admin SharesData from Network Shared Drive1
                          Application Layer Protocol
                          Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                          Process Injection
                          NTDS1
                          Application Window Discovery
                          Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                          Obfuscated Files or Information
                          LSA Secrets113
                          System Information Discovery
                          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                          Software Packing
                          Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          DLL Side-Loading
                          DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand
                          SourceDetectionScannerLabelLink
                          PO-1BdyzarvrjUANe0.exe63%ReversingLabsWin32.Spyware.Redline
                          PO-1BdyzarvrjUANe0.exe100%AviraTR/AD.RedLineSteal.arwid
                          PO-1BdyzarvrjUANe0.exe100%Joe Sandbox ML
                          No Antivirus matches
                          No Antivirus matches
                          No Antivirus matches
                          SourceDetectionScannerLabelLink
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%URL Reputationsafe
                          https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%URL Reputationsafe
                          https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                          http://www.fontbureau.com/designers0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%URL Reputationsafe
                          http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat0%URL Reputationsafe
                          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                          http://www.zhongyicts.com.cn0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%URL Reputationsafe
                          https://api.ip.sb/ip0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%URL Reputationsafe
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%URL Reputationsafe
                          https://www.ecosia.org/newtab/0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                          http://www.carterandcone.coml0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%URL Reputationsafe
                          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/06/addressingex0%URL Reputationsafe
                          http://www.typography.netD0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ15100%URL Reputationsafe
                          http://www.fonts.com0%URL Reputationsafe
                          http://www.sandoll.co.kr0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA10%URL Reputationsafe
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA10%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe
                          http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2002/12/policy0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/Issue0%URL Reputationsafe
                          http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/spnego0%URL Reputationsafe
                          http://www.founder.com.cn/cn0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/sc0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence0%URL Reputationsafe
                          http://schemas.xmlsoap.org/soap/actor/next0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%URL Reputationsafe
                          No contacted domains info
                          NameSourceMaliciousAntivirus DetectionReputation
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sctPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://duckduckgo.com/chrome_newtabPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://duckduckgo.com/ac/?q=PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://tempuri.org/Entity/Id23ResponseDPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000003227000.00000004.00000800.00020000.00000000.sdmpfalse
                            unknown
                            http://tempuri.org/Entity/Id12ResponsePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                              unknown
                              http://tempuri.org/PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                unknown
                                http://tempuri.org/Entity/Id2ResponsePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                  unknown
                                  http://www.fontbureau.com/designersPO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://tempuri.org/Entity/Id21ResponsePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                    unknown
                                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://tempuri.org/Entity/Id6ResponseDPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000003223000.00000004.00000800.00020000.00000000.sdmpfalse
                                      unknown
                                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssuePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://tempuri.org/Entity/Id13ResponseDPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                        unknown
                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/faultPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://schemas.xmlsoap.org/ws/2004/10/wsatPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.galapagosdesign.com/DPleasePO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://tempuri.org/Entity/Id15ResponsePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                          unknown
                                          http://www.zhongyicts.com.cnPO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          https://api.ip.sb/ipPO-1BdyzarvrjUANe0.exe, 00000000.00000002.1762571849.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1762571849.00000000041E6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1762571849.000000000419B000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1988809355.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://tempuri.org/Entity/Id1ResponseDPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                            unknown
                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://tempuri.org/Entity/Id24ResponsePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                              unknown
                                              https://www.ecosia.org/newtab/PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://www.carterandcone.comlPO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://schemas.xmlsoap.org/ws/2004/08/addressingPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssuePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://tempuri.org/Entity/Id10ResponseDPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                unknown
                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                http://tempuri.org/Entity/Id5ResponsePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://tempuri.org/Entity/Id15ResponseDPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000003212000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    unknown
                                                    http://tempuri.org/Entity/Id10ResponsePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      unknown
                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RenewPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://tempuri.org/Entity/Id8ResponsePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        unknown
                                                        http://www.founder.com.cn/cn/bThePO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentityPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://tempuri.org/DPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          unknown
                                                          http://schemas.xmlsoap.org/ws/2004/06/addressingexPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.typography.netDPO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/NoncePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponsePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.fonts.comPO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.sandoll.co.krPO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://tempuri.org/Entity/Id13ResponsePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            unknown
                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/CommittedPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://schemas.xmlsoap.org/ws/2004/04/security/sc/sctPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://tempuri.org/Entity/Id7ResponseDPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              unknown
                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                unknown
                                                                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://tempuri.org/Entity/Id4ResponseDPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  unknown
                                                                  http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_WrapPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://schemas.xmlsoap.org/ws/2002/12/policyPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://tempuri.org/Entity/Id22ResponsePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    unknown
                                                                    http://tempuri.org/Entity/Id22ResponseDPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000003223000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      unknown
                                                                      http://tempuri.org/Entity/Id16ResponseDPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        unknown
                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/IssuePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/IssuePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://www.fontbureau.com/designers/cabarga.htmlNPO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/spnegoPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://www.founder.com.cn/cnPO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://schemas.xmlsoap.org/ws/2005/02/scPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://tempuri.org/Entity/Id18ResponsePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          unknown
                                                                          http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsdPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          http://tempuri.org/Entity/Id3ResponsePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            unknown
                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequencePO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            http://schemas.xmlsoap.org/soap/actor/nextPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            http://tempuri.org/Entity/Id14ResponseDPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              unknown
                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryPO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              http://tempuri.org/Entity/Id9PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                unknown
                                                                                http://tempuri.org/Entity/Id8PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  unknown
                                                                                  http://tempuri.org/Entity/Id5PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    unknown
                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs
                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    188.190.10.19
                                                                                    unknownUkraine
                                                                                    56370ASINTTELUAtrue
                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1539389
                                                                                    Start date and time:2024-10-22 16:10:11 +02:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 6m 24s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:7
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:PO-1BdyzarvrjUANe0.exe
                                                                                    Detection:MAL
                                                                                    Classification:mal100.troj.spyw.evad.winEXE@3/1@0/1
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 100%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 99%
                                                                                    • Number of executed functions: 64
                                                                                    • Number of non-executed functions: 17
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .exe
                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                    • VT rate limit hit for: PO-1BdyzarvrjUANe0.exe
                                                                                    TimeTypeDescription
                                                                                    10:11:08API Interceptor74x Sleep call for process: PO-1BdyzarvrjUANe0.exe modified
                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    188.190.10.19vhFZk5qPZd.exeGet hashmaliciousRedLineBrowse
                                                                                      No context
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      ASINTTELUAvhFZk5qPZd.exeGet hashmaliciousRedLineBrowse
                                                                                      • 188.190.10.19
                                                                                      PO24252509JASIC.scr.exeGet hashmaliciousRedLineBrowse
                                                                                      • 188.190.10.12
                                                                                      Qpp5L1vHC0.elfGet hashmaliciousUnknownBrowse
                                                                                      • 188.190.4.165
                                                                                      6pZPnJdO23.elfGet hashmaliciousMiraiBrowse
                                                                                      • 188.190.4.141
                                                                                      9EUxitC1xZ.elfGet hashmaliciousMiraiBrowse
                                                                                      • 188.190.4.159
                                                                                      xd.x86.elfGet hashmaliciousMiraiBrowse
                                                                                      • 188.190.12.10
                                                                                      nPkth7pJDB.elfGet hashmaliciousMiraiBrowse
                                                                                      • 188.190.4.142
                                                                                      duAaSiWM5K.elfGet hashmaliciousUnknownBrowse
                                                                                      • 188.190.4.132
                                                                                      3dO4zEiA96Get hashmaliciousMiraiBrowse
                                                                                      • 188.190.4.116
                                                                                      xd.armGet hashmaliciousMiraiBrowse
                                                                                      • 188.190.4.143
                                                                                      No context
                                                                                      No context
                                                                                      Process:C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1216
                                                                                      Entropy (8bit):5.34331486778365
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                      Malicious:true
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02
                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Entropy (8bit):7.792064506385091
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                      File name:PO-1BdyzarvrjUANe0.exe
                                                                                      File size:744'448 bytes
                                                                                      MD5:fac116ca092033649c6a8ae32e000508
                                                                                      SHA1:5139cdc83309a71256413e6e9948098deeb4f144
                                                                                      SHA256:dd7864aca2acdf7738015e6568b6d6fe2f425137c81dcfb19ba491852678b4a7
                                                                                      SHA512:650580c60ee171eb2e2b12dcdabe2f652828ea95f55abeb5c961858c4e5377b608096eba2d4ac21752766e0eb80f9a50903ba7f6444db7e438d97bae3797c31b
                                                                                      SSDEEP:12288:TX/gr9VWWwj6+VN4ei/fgrblL9nXhv6NSz/NYTlxcVpvY3WqpyzWuuspV:TvS9VWWi6+DsorHRv1VYTlaTJ0y
                                                                                      TLSH:14F40188B515B5BEC85387740974ED3155207EBEA207D30794EB7CABB93E6C39E042E2
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0......d......~.... ... ....@.. ....................................`................................
                                                                                      Icon Hash:276ea3a6a6b7bfbf
                                                                                      Entrypoint:0x4b157e
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x6708AAEA [Fri Oct 11 04:34:50 2024 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                      Instruction
                                                                                      jmp dword ptr [00402000h]
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb15240x57.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000x6180.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000xc.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x20000xaf5840xaf6002f1bfcac257d08057ed53ca5977c92f1False0.9120871013007841data7.838098776126378IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0xb20000x61800x6200ade738b423cb2d17158360a42746198eFalse0.45471938775510207data5.642492898112896IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0xba0000xc0x200f090270ec25d8453af2ee2c19a2e1472False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_ICON0xb22680x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.3077956989247312
                                                                                      RT_ICON0xb25500x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.543918918918919
                                                                                      RT_ICON0xb26780xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.5610341151385928
                                                                                      RT_ICON0xb35200x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.6796028880866426
                                                                                      RT_ICON0xb3dc80x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.546242774566474
                                                                                      RT_ICON0xb43300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.4191908713692946
                                                                                      RT_ICON0xb68d80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.4800656660412758
                                                                                      RT_ICON0xb79800x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.6099290780141844
                                                                                      RT_GROUP_ICON0xb7de80x76data0.6271186440677966
                                                                                      RT_GROUP_ICON0xb7e600x14data1.05
                                                                                      RT_VERSION0xb7e740x30cdata0.42948717948717946
                                                                                      DLLImport
                                                                                      mscoree.dll_CorExeMain
                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                      2024-10-22T16:11:14.127926+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:14.127926+02002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:14.379136+02002043234ET MALWARE Redline Stealer TCP CnC - Id1Response1188.190.10.191912192.168.2.449733TCP
                                                                                      2024-10-22T16:11:19.480034+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:20.682993+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:20.689742+02002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1188.190.10.191912192.168.2.449733TCP
                                                                                      2024-10-22T16:11:20.981360+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:21.563029+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:21.838802+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:22.271687+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:22.686846+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:22.692481+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:23.634154+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:23.890863+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:24.194379+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:24.239630+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:24.538120+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:28.068897+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:28.381917+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:33.171919+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:33.752102+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:33.998709+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:34.246772+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      2024-10-22T16:11:34.648432+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449733188.190.10.191912TCP
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Oct 22, 2024 16:11:13.059772015 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:13.065116882 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:13.065217972 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:13.076234102 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:13.081548929 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:13.921087980 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:13.975613117 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:14.127926111 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:14.133380890 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:14.379136086 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:14.428762913 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:19.480034113 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:19.485554934 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:19.727965117 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:19.727982044 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:19.727993011 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:19.728004932 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:19.728018045 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:19.728086948 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:19.728135109 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:20.682992935 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:20.689742088 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:20.930181980 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:20.975624084 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:20.981359959 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:20.986912012 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:21.227560043 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:21.272521973 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:21.563029051 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:21.569360018 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:21.810201883 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:21.838802099 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:21.844261885 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.084964037 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.131875038 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.271687031 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.277167082 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.518496037 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.568805933 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.686846018 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.692378998 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.692389965 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.692435026 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.692436934 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.692446947 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.692481041 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.692507029 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.692516088 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.692528009 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.692547083 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.692560911 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.692594051 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.692604065 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.692621946 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.692631006 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.692639112 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.692653894 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.692679882 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.692699909 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.692709923 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.692750931 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.697757006 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.697767019 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.697812080 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.697905064 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.697915077 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.697947025 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.698057890 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.698116064 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.698191881 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.698259115 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.698683977 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.698745966 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.706782103 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.706886053 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.707007885 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.712306976 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712316036 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712332964 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712342978 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712351084 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.712372065 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712374926 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.712382078 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712412119 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.712431908 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.712438107 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712447882 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712471962 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.712482929 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712485075 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.712492943 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712528944 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.712573051 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712582111 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712605953 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.712620020 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.712656021 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712687016 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.712694883 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712826967 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712836027 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712845087 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712869883 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712878942 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712889910 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712915897 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712925911 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712964058 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712974072 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.712985039 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713006020 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713116884 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.713135004 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713145971 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713171959 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.713184118 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.713206053 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713216066 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713239908 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713257074 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.713273048 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.713305950 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713340044 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.713351965 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713361979 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713382959 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713396072 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.713421106 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.713434935 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713444948 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713449001 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713473082 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713481903 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713483095 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.713520050 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.713551044 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713560104 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713568926 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713578939 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713612080 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713620901 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713630915 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713641882 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713773012 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713830948 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713839054 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713849068 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.713860989 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.717864037 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.717904091 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.717984915 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.718086004 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.718178988 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.718188047 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.718305111 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.718372107 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.718478918 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.718530893 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.718641043 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.718667984 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.718910933 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.719407082 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.719574928 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.719593048 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.719728947 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.719737053 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.719799042 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.719830036 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.719846964 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.719896078 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.719944000 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.719995022 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720103025 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720110893 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720146894 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720155954 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720223904 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720240116 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720300913 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720309973 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720382929 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720391989 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720424891 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720424891 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.720433950 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720484018 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.720515013 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720525026 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720580101 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720588923 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720597982 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720628977 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720670938 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720679998 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720753908 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720762968 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720832109 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720860004 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720887899 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720932961 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.720973969 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721061945 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721071005 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721080065 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721129894 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721204042 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721251011 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721260071 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721328020 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721338034 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721399069 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721477985 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721487045 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721496105 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721504927 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721514940 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721535921 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721570969 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721611023 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721621037 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721801996 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721812010 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721820116 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721837997 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721847057 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721856117 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721911907 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721920967 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.721954107 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.722136974 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.722189903 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.725733042 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.725876093 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.725884914 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.725899935 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.725908995 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.725970030 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.725980043 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726011992 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726021051 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726072073 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726123095 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726131916 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726140976 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726162910 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726203918 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726248026 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726257086 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726272106 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726296902 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726342916 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726351976 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726438999 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726448059 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726481915 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726491928 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726510048 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726578951 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726589918 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726598978 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726608992 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726624966 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726634026 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726644039 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726701975 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726711035 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726727009 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726736069 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726769924 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726778984 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726852894 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726861954 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726871014 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726880074 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726895094 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726903915 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726918936 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726927996 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726963043 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726970911 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726982117 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.726990938 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.727060080 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.727067947 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.727581978 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.727591038 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.727600098 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.727610111 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.727641106 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.727715015 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.727809906 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.727813959 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.727840900 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.727869987 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.727933884 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.727943897 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.727978945 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.727988958 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728065968 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728075027 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728096962 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728106976 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728214979 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728230953 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728271961 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728280067 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728369951 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728379011 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728446007 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728454113 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728462934 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728472948 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728487968 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728497982 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728523016 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728532076 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728631973 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728641033 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728672981 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728682041 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728697062 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728705883 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728718042 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728765965 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728775024 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728782892 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728794098 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728842974 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728854895 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728873014 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728883028 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728899956 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728982925 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.728991985 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.729048014 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.729058027 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.729114056 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.729123116 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.729186058 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733171940 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733207941 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733293056 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733304024 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733374119 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.733386993 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733400106 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733428001 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.733462095 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733472109 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733568907 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733577967 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733606100 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733669996 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733680010 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733690023 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733845949 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733855009 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733896017 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733906031 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733973980 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733983040 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.733998060 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734006882 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734244108 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734253883 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734263897 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734272957 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734293938 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734304905 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734313965 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734323978 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734339952 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734352112 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734379053 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734390020 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734407902 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734416962 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734460115 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734469891 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734500885 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734576941 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734586954 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734597921 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734659910 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734671116 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734699011 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734710932 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734739065 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734749079 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734777927 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734787941 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734806061 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734814882 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.734826088 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.738751888 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.738816977 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.738842010 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.738878012 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.738914967 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.738929033 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.738945961 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.738985062 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.738996029 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739010096 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739017010 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.739027023 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739037037 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739063025 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739073992 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739145994 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739156008 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739188910 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739197969 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739252090 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739269018 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739320993 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739331007 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739370108 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739378929 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739470005 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739481926 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739499092 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739511013 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739521027 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739531994 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.739542007 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.786186934 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:22.786431074 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.786520958 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.786520958 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.786561966 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:22.834075928 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:23.586663008 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:23.631874084 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:23.634154081 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:23.639477968 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:23.880294085 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:23.890862942 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:23.896332026 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:23.896383047 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:23.896398067 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:23.896467924 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:23.896480083 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:23.896493912 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:24.138832092 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:24.194379091 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:24.239629984 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:24.247298002 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:24.247320890 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:24.247330904 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:24.247340918 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:24.247350931 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:24.247360945 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:24.247369051 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:24.247378111 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:24.247395992 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:24.247406960 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:24.247416019 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:24.247556925 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:24.247566938 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:24.488022089 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:24.538120031 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:28.068897009 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:28.074837923 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:28.074881077 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:28.074913025 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:28.338327885 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:28.381917000 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:33.171919107 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:33.177797079 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:33.419230938 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:33.460036993 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:33.752101898 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:33.757800102 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:33.998281956 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:33.998708963 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:34.004184008 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:34.245906115 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:34.246772051 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:34.252326012 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:34.493110895 CEST191249733188.190.10.19192.168.2.4
                                                                                      Oct 22, 2024 16:11:34.538247108 CEST497331912192.168.2.4188.190.10.19
                                                                                      Oct 22, 2024 16:11:34.648432016 CEST497331912192.168.2.4188.190.10.19

                                                                                      Click to jump to process

                                                                                      Click to jump to process

                                                                                      Click to dive into process behavior distribution

                                                                                      Click to jump to process

                                                                                      Target ID:0
                                                                                      Start time:10:11:07
                                                                                      Start date:22/10/2024
                                                                                      Path:C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe"
                                                                                      Imagebase:0xcb0000
                                                                                      File size:744'448 bytes
                                                                                      MD5 hash:FAC116CA092033649C6A8AE32E000508
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1762571849.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1762571849.00000000041E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1762571849.000000000419B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      Target ID:2
                                                                                      Start time:10:11:10
                                                                                      Start date:22/10/2024
                                                                                      Path:C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe"
                                                                                      Imagebase:0xa50000
                                                                                      File size:744'448 bytes
                                                                                      MD5 hash:FAC116CA092033649C6A8AE32E000508
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1988809355.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:9.1%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:5.2%
                                                                                        Total number of Nodes:194
                                                                                        Total number of Limit Nodes:16
                                                                                        execution_graph 37440 2ebd4b8 37441 2ebd4fe GetCurrentProcess 37440->37441 37443 2ebd549 37441->37443 37444 2ebd550 GetCurrentThread 37441->37444 37443->37444 37445 2ebd58d GetCurrentProcess 37444->37445 37446 2ebd586 37444->37446 37447 2ebd5c3 37445->37447 37446->37445 37448 2ebd5eb GetCurrentThreadId 37447->37448 37449 2ebd61c 37448->37449 37450 2ebb138 37451 2ebb147 37450->37451 37454 2ebb221 37450->37454 37460 2ebb230 37450->37460 37455 2ebb1ca 37454->37455 37457 2ebb22a 37454->37457 37455->37451 37456 2ebb264 37456->37451 37457->37456 37458 2ebb468 GetModuleHandleW 37457->37458 37459 2ebb495 37458->37459 37459->37451 37461 2ebb241 37460->37461 37462 2ebb264 37460->37462 37461->37462 37463 2ebb468 GetModuleHandleW 37461->37463 37462->37451 37464 2ebb495 37463->37464 37464->37451 37465 5633a00 37466 5633a10 37465->37466 37467 5633a49 37466->37467 37469 56345b2 37466->37469 37470 56345bb 37469->37470 37472 5634616 DrawTextExW 37469->37472 37470->37467 37473 563469e 37472->37473 37473->37467 37238 9038ac6 37239 9038a54 37238->37239 37241 9038ac9 37238->37241 37257 903934b 37239->37257 37262 9039564 37239->37262 37267 9038f65 37239->37267 37272 9039047 37239->37272 37278 9039980 37239->37278 37284 90390e1 37239->37284 37294 9039302 37239->37294 37299 9038d98 37239->37299 37304 9039799 37239->37304 37309 9038ff9 37239->37309 37321 9038fd5 37239->37321 37326 9039070 37239->37326 37334 9038d89 37239->37334 37339 90392c9 37239->37339 37343 903950a 37239->37343 37240 9038a82 37258 9038fe1 37257->37258 37348 9036f50 37258->37348 37352 9036f49 37258->37352 37259 9039703 37263 903956a 37262->37263 37265 9036f50 ResumeThread 37263->37265 37266 9036f49 ResumeThread 37263->37266 37264 9039703 37265->37264 37266->37264 37269 9038e56 37267->37269 37268 9038f29 37268->37240 37269->37268 37356 9037c58 37269->37356 37273 903906a 37272->37273 37360 90375d0 37273->37360 37364 90376af 37273->37364 37369 90375c8 37273->37369 37274 9039425 37274->37240 37279 903998d 37278->37279 37280 9039564 37278->37280 37282 9036f50 ResumeThread 37280->37282 37283 9036f49 ResumeThread 37280->37283 37281 9039703 37282->37281 37283->37281 37285 90390f6 37284->37285 37287 9038fe1 37285->37287 37289 90375d0 WriteProcessMemory 37285->37289 37290 90375c8 WriteProcessMemory 37285->37290 37291 90376af WriteProcessMemory 37285->37291 37286 9039843 37286->37240 37287->37286 37292 9036f50 ResumeThread 37287->37292 37293 9036f49 ResumeThread 37287->37293 37288 9039703 37289->37285 37290->37285 37291->37285 37292->37288 37293->37288 37295 903930a 37294->37295 37373 9037ac0 37295->37373 37377 9037abe 37295->37377 37296 903928e 37296->37240 37301 9038dcb 37299->37301 37300 9038f29 37300->37240 37301->37300 37303 9037c58 CreateProcessA 37301->37303 37302 9038fb6 37302->37240 37303->37302 37306 90375d0 WriteProcessMemory 37304->37306 37307 90375c8 WriteProcessMemory 37304->37307 37308 90376af WriteProcessMemory 37304->37308 37305 90397bd 37306->37305 37307->37305 37308->37305 37381 9037510 37309->37381 37385 9037509 37309->37385 37310 9039843 37310->37240 37311 9039017 37312 9038fe1 37311->37312 37314 90375d0 WriteProcessMemory 37311->37314 37315 90375c8 WriteProcessMemory 37311->37315 37316 90376af WriteProcessMemory 37311->37316 37312->37310 37317 9036f50 ResumeThread 37312->37317 37318 9036f49 ResumeThread 37312->37318 37313 9039703 37314->37311 37315->37311 37316->37311 37317->37313 37318->37313 37322 9038fe1 37321->37322 37324 9036f50 ResumeThread 37322->37324 37325 9036f49 ResumeThread 37322->37325 37323 9039703 37324->37323 37325->37323 37327 9038fe1 37326->37327 37328 903907d 37326->37328 37330 9036f50 ResumeThread 37327->37330 37331 9036f49 ResumeThread 37327->37331 37389 9037430 37328->37389 37393 9037438 37328->37393 37329 9039703 37330->37329 37331->37329 37336 9038dcb 37334->37336 37335 9038f29 37335->37240 37336->37335 37338 9037c58 CreateProcessA 37336->37338 37337 9038fb6 37337->37240 37338->37337 37341 9037430 Wow64SetThreadContext 37339->37341 37342 9037438 Wow64SetThreadContext 37339->37342 37340 90391d5 37340->37240 37341->37340 37342->37340 37344 9038fe1 37343->37344 37346 9036f50 ResumeThread 37344->37346 37347 9036f49 ResumeThread 37344->37347 37345 9039703 37346->37345 37347->37345 37349 9036f90 ResumeThread 37348->37349 37351 9036fc1 37349->37351 37351->37259 37353 9036f90 ResumeThread 37352->37353 37355 9036fc1 37353->37355 37355->37259 37357 9037ce1 37356->37357 37357->37357 37358 9037e46 CreateProcessA 37357->37358 37359 9037ea3 37358->37359 37359->37359 37361 9037618 WriteProcessMemory 37360->37361 37363 903766f 37361->37363 37363->37274 37365 9037642 WriteProcessMemory 37364->37365 37368 90376b3 37364->37368 37367 903766f 37365->37367 37367->37274 37370 9037618 WriteProcessMemory 37369->37370 37372 903766f 37370->37372 37372->37274 37374 9037b0b ReadProcessMemory 37373->37374 37376 9037b4f 37374->37376 37376->37296 37378 9037b0b ReadProcessMemory 37377->37378 37380 9037b4f 37378->37380 37380->37296 37382 9037550 VirtualAllocEx 37381->37382 37384 903758d 37382->37384 37384->37311 37386 903757e VirtualAllocEx 37385->37386 37388 903750e 37385->37388 37387 903758d 37386->37387 37387->37311 37388->37386 37390 9037438 Wow64SetThreadContext 37389->37390 37392 90374c5 37390->37392 37392->37327 37394 903747d Wow64SetThreadContext 37393->37394 37396 90374c5 37394->37396 37396->37327 37228 9039c08 37229 9039d93 37228->37229 37231 9039c2e 37228->37231 37231->37229 37232 90376dc 37231->37232 37233 9039e88 PostMessageW 37232->37233 37234 9039ef4 37233->37234 37234->37231 37397 2eb46a0 37398 2eb46b7 37397->37398 37401 2eb4799 37398->37401 37399 2eb46c8 37402 2eb47ba 37401->37402 37404 2eb47c5 37402->37404 37405 2eb4890 37402->37405 37404->37399 37406 2eb4895 37405->37406 37410 2eb49a0 37406->37410 37414 2eb4990 37406->37414 37412 2eb49c7 37410->37412 37411 2eb4aa4 37411->37411 37412->37411 37418 2eb4610 37412->37418 37416 2eb49c7 37414->37416 37415 2eb4aa4 37416->37415 37417 2eb4610 CreateActCtxA 37416->37417 37417->37415 37419 2eb5e30 CreateActCtxA 37418->37419 37421 2eb5ef3 37419->37421 37474 2ebd700 DuplicateHandle 37475 2ebd796 37474->37475 37235 7861228 37236 7865aa0 CreateIconFromResourceEx 37235->37236 37237 7865b1e 37236->37237 37422 7861c48 37423 7861c62 37422->37423 37426 7861c90 37423->37426 37424 7861c75 37428 7861ca5 37426->37428 37427 7861d2b 37435 7861c90 GetCurrentThreadId 37427->37435 37428->37427 37430 7861d60 37428->37430 37429 7861d35 37429->37424 37434 7861e64 37430->37434 37436 7860f8c 37430->37436 37433 7860f8c GetCurrentThreadId 37433->37434 37434->37424 37435->37429 37437 7860f97 37436->37437 37438 78621af GetCurrentThreadId 37437->37438 37439 7861e88 37437->37439 37438->37439 37439->37433

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 304 78611e0-7865150 307 7865156-786515b 304->307 308 7865633-786569c 304->308 307->308 309 7865161-786517e 307->309 316 78656a3-786572b 308->316 315 7865184-7865188 309->315 309->316 317 7865197-786519b 315->317 318 786518a-7865194 call 78611f0 315->318 359 7865736-78657b6 316->359 319 786519d-78651a7 call 78611f0 317->319 320 78651aa-78651b1 317->320 318->317 319->320 325 78651b7-78651e7 320->325 326 78652cc-78652d1 320->326 336 78659b6-78659dc 325->336 339 78651ed-78652c0 call 78611fc * 2 325->339 329 78652d3-78652d7 326->329 330 78652d9-78652de 326->330 329->330 333 78652e0-78652e4 329->333 334 78652f0-7865320 call 7861208 * 3 330->334 333->336 337 78652ea-78652ed 333->337 334->359 360 7865326-7865329 334->360 348 78659de-78659ea 336->348 349 78659ec 336->349 337->334 339->326 368 78652c2 339->368 355 78659ef-78659f4 348->355 349->355 376 78657bd-786583f 359->376 360->359 363 786532f-7865331 360->363 363->359 366 7865337-786536c 363->366 375 7865372-786537b 366->375 366->376 368->326 377 7865381-78653db call 7861208 * 2 call 7861218 * 2 375->377 378 78654de-78654e2 375->378 380 7865847-78658c9 376->380 424 78653ed 377->424 425 78653dd-78653e6 377->425 378->380 381 78654e8-78654ec 378->381 386 78658d1-78658fe 380->386 385 78654f2-78654f8 381->385 381->386 389 78654fc-7865531 385->389 390 78654fa 385->390 399 7865905-7865985 386->399 395 7865538-786553e 389->395 390->395 398 7865544-786554c 395->398 395->399 403 7865553-7865555 398->403 404 786554e-7865552 398->404 457 786598c-78659ae 399->457 409 78655b7-78655bd 403->409 410 7865557-786557b 403->410 404->403 415 78655bf-78655da 409->415 416 78655dc-786560a 409->416 443 7865584-7865588 410->443 444 786557d-7865582 410->444 435 7865612-786561e 415->435 416->435 427 78653f1-78653f3 424->427 425->427 431 78653e8-78653eb 425->431 433 78653f5 427->433 434 78653fa-78653fe 427->434 431->427 433->434 440 7865400-7865407 434->440 441 786540c-7865412 434->441 456 7865624-7865630 435->456 435->457 446 78654a9-78654ad 440->446 447 7865414-786541a 441->447 448 786541c-7865421 441->448 443->336 451 786558e-7865591 443->451 450 7865594-78655a5 444->450 454 78654af-78654c9 446->454 455 78654cc-78654d8 446->455 458 7865427-786542d 447->458 448->458 466 78655ad-78655b5 450->466 451->450 454->455 455->377 455->378 457->336 462 7865433-7865438 458->462 463 786542f-7865431 458->463 469 786543a-786544c 462->469 463->469 466->435 470 7865456-786545b 469->470 471 786544e-7865454 469->471 476 7865461-7865468 470->476 471->476 480 786546e 476->480 481 786546a-786546c 476->481 484 7865473-786547e 480->484 481->484 485 78654a2 484->485 486 7865480-7865483 484->486 485->446 486->446 488 7865485-786548b 486->488 489 7865492-786549b 488->489 490 786548d-7865490 488->490 489->446 492 786549d-78654a0 489->492 490->485 490->489 492->446 492->485
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1766941378.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1766812398.0000000007850000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7850000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Hhq$Hhq$Hhq$Hhq$Hhq
                                                                                        • API String ID: 0-1427472961
                                                                                        • Opcode ID: c094e103276c973634fb15f58e8b3edf964469c8cafc229646e4b530aa13b0d9
                                                                                        • Instruction ID: 2f2d2a3d422cc72f5da0aed6eda2041286de0a22ffbec3904aa7fc56612d7c3f
                                                                                        • Opcode Fuzzy Hash: c094e103276c973634fb15f58e8b3edf964469c8cafc229646e4b530aa13b0d9
                                                                                        • Instruction Fuzzy Hash: A43260B0E002189FDB54DFA8C8947AEBBF2AF95300F1485A9D509EB389DB349D91CF51
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0aaad3ae8dc259271d6fefc4574a29d3a4624913b5392491d7a8cf0cb5102a20
                                                                                        • Instruction ID: 65d3dd85cc8deaf708ba5ab0f670347686a0ed68642229e3d94a45e7b7290a05
                                                                                        • Opcode Fuzzy Hash: 0aaad3ae8dc259271d6fefc4574a29d3a4624913b5392491d7a8cf0cb5102a20
                                                                                        • Instruction Fuzzy Hash: 3B329970B012049FDB59DF69D594BAEBBFAAF88304F948869E505DB790CB34ED01CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 70a762bd7f55d6139b3f69c872544975500644d9369c6beef597c86d28d22a76
                                                                                        • Instruction ID: 84be130ed495182b29b5721f81c65ef606eff1468188bd5492ca3e611bc12cd1
                                                                                        • Opcode Fuzzy Hash: 70a762bd7f55d6139b3f69c872544975500644d9369c6beef597c86d28d22a76
                                                                                        • Instruction Fuzzy Hash: 0D610671D05619CBDB24CF66C8407EDBBBABF99300F50D5EAE809A6250EB705A85CF40
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1761560734.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2eb0000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 94023a34f05177f8a13449fa7f5b93fdfb2d776cc864d67ea10b1c690fd1c7ef
                                                                                        • Instruction ID: 126bd794e857b54eed05c4952613dd978b4f78b1a7a97a8d3afff5593d15c992
                                                                                        • Opcode Fuzzy Hash: 94023a34f05177f8a13449fa7f5b93fdfb2d776cc864d67ea10b1c690fd1c7ef
                                                                                        • Instruction Fuzzy Hash: 99412D74E05209DFCB49DFA5C5916EEFBF2EF89300F24D4A9D409A7264DB349A41CB60
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1761560734.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2eb0000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a80362bf154126613be86b280826b48ca98802c302bb2eb41c7b66610c519332
                                                                                        • Instruction ID: 3ca6e9569d9c797ec1794c8c1f9297bd0a232a45716bc4b406fd0a4134414c10
                                                                                        • Opcode Fuzzy Hash: a80362bf154126613be86b280826b48ca98802c302bb2eb41c7b66610c519332
                                                                                        • Instruction Fuzzy Hash: B3411D74E45209DFCB48DFA5C5806EEFBF2EFC9300F24E4A99409A7664DB349A41CB60

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 595 2ebd4a8-2ebd547 GetCurrentProcess 599 2ebd549-2ebd54f 595->599 600 2ebd550-2ebd584 GetCurrentThread 595->600 599->600 601 2ebd58d-2ebd5c1 GetCurrentProcess 600->601 602 2ebd586-2ebd58c 600->602 603 2ebd5ca-2ebd5e5 call 2ebd688 601->603 604 2ebd5c3-2ebd5c9 601->604 602->601 608 2ebd5eb-2ebd61a GetCurrentThreadId 603->608 604->603 609 2ebd61c-2ebd622 608->609 610 2ebd623-2ebd685 608->610 609->610
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 02EBD536
                                                                                        • GetCurrentThread.KERNEL32 ref: 02EBD573
                                                                                        • GetCurrentProcess.KERNEL32 ref: 02EBD5B0
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02EBD609
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1761560734.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2eb0000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: afdac8c7b3303b76a9e6c49f04a1fe27be686bc36aff81d92bdb030270f27d68
                                                                                        • Instruction ID: d263ef62cb25ff1ebd9c30d26e2ea1e18352ddf4f2d835a3c2ab179cbb212822
                                                                                        • Opcode Fuzzy Hash: afdac8c7b3303b76a9e6c49f04a1fe27be686bc36aff81d92bdb030270f27d68
                                                                                        • Instruction Fuzzy Hash: A55135B0901349CFDB15CFA9DA48BDEBBF1EF48318F24849AE509A7260D7345984CB65

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 617 2ebd4b8-2ebd547 GetCurrentProcess 621 2ebd549-2ebd54f 617->621 622 2ebd550-2ebd584 GetCurrentThread 617->622 621->622 623 2ebd58d-2ebd5c1 GetCurrentProcess 622->623 624 2ebd586-2ebd58c 622->624 625 2ebd5ca-2ebd5e5 call 2ebd688 623->625 626 2ebd5c3-2ebd5c9 623->626 624->623 630 2ebd5eb-2ebd61a GetCurrentThreadId 625->630 626->625 631 2ebd61c-2ebd622 630->631 632 2ebd623-2ebd685 630->632 631->632
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 02EBD536
                                                                                        • GetCurrentThread.KERNEL32 ref: 02EBD573
                                                                                        • GetCurrentProcess.KERNEL32 ref: 02EBD5B0
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02EBD609
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1761560734.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2eb0000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: 7f3c48fd0e6be4195673de8672b605bfe6e5a7c07cad393b2b979d55f4893c45
                                                                                        • Instruction ID: 7e94e8815c419fd130d02d43ad98938e3749feace6887407e44357a5f6c7d6cb
                                                                                        • Opcode Fuzzy Hash: 7f3c48fd0e6be4195673de8672b605bfe6e5a7c07cad393b2b979d55f4893c45
                                                                                        • Instruction Fuzzy Hash: 2B5115B0901309CFDB14CFAADA48B9EBBF1EF48318F24C459E519A7260D7745984CF65

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1077 9037c58-9037ced 1079 9037d26-9037d46 1077->1079 1080 9037cef-9037cf9 1077->1080 1087 9037d48-9037d52 1079->1087 1088 9037d7f-9037dae 1079->1088 1080->1079 1081 9037cfb-9037cfd 1080->1081 1082 9037d20-9037d23 1081->1082 1083 9037cff-9037d09 1081->1083 1082->1079 1085 9037d0b 1083->1085 1086 9037d0d-9037d1c 1083->1086 1085->1086 1086->1086 1090 9037d1e 1086->1090 1087->1088 1089 9037d54-9037d56 1087->1089 1096 9037db0-9037dba 1088->1096 1097 9037de7-9037ea1 CreateProcessA 1088->1097 1091 9037d79-9037d7c 1089->1091 1092 9037d58-9037d62 1089->1092 1090->1082 1091->1088 1094 9037d66-9037d75 1092->1094 1095 9037d64 1092->1095 1094->1094 1098 9037d77 1094->1098 1095->1094 1096->1097 1099 9037dbc-9037dbe 1096->1099 1108 9037ea3-9037ea9 1097->1108 1109 9037eaa-9037f30 1097->1109 1098->1091 1101 9037de1-9037de4 1099->1101 1102 9037dc0-9037dca 1099->1102 1101->1097 1103 9037dce-9037ddd 1102->1103 1104 9037dcc 1102->1104 1103->1103 1106 9037ddf 1103->1106 1104->1103 1106->1101 1108->1109 1119 9037f32-9037f36 1109->1119 1120 9037f40-9037f44 1109->1120 1119->1120 1121 9037f38 1119->1121 1122 9037f46-9037f4a 1120->1122 1123 9037f54-9037f58 1120->1123 1121->1120 1122->1123 1126 9037f4c 1122->1126 1124 9037f5a-9037f5e 1123->1124 1125 9037f68-9037f6c 1123->1125 1124->1125 1127 9037f60 1124->1127 1128 9037f7e-9037f85 1125->1128 1129 9037f6e-9037f74 1125->1129 1126->1123 1127->1125 1130 9037f87-9037f96 1128->1130 1131 9037f9c 1128->1131 1129->1128 1130->1131 1133 9037f9d 1131->1133 1133->1133
                                                                                        APIs
                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09037E8E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateProcess
                                                                                        • String ID:
                                                                                        • API String ID: 963392458-0
                                                                                        • Opcode ID: 39ddd3955a6a320cfa811031d6a02c114a1bc485bbe8394ffae1d08a97aeb04a
                                                                                        • Instruction ID: e5ff290c88b81fe271c1105b16e3502ff9c55b0d30e13023f3c6ba941fced8d1
                                                                                        • Opcode Fuzzy Hash: 39ddd3955a6a320cfa811031d6a02c114a1bc485bbe8394ffae1d08a97aeb04a
                                                                                        • Instruction Fuzzy Hash: AA915AB1D00219CFDB25CFA9C841BEEBBF6BF48310F5485A9E809A7250DB749985CF91

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1726 2ebb230-2ebb23f 1727 2ebb26b-2ebb26f 1726->1727 1728 2ebb241-2ebb24e call 2ebac04 1726->1728 1730 2ebb283-2ebb2c4 1727->1730 1731 2ebb271-2ebb27b 1727->1731 1734 2ebb250 1728->1734 1735 2ebb264 1728->1735 1737 2ebb2d1-2ebb2df 1730->1737 1738 2ebb2c6-2ebb2ce 1730->1738 1731->1730 1783 2ebb256 call 2ebb4b9 1734->1783 1784 2ebb256 call 2ebb4c8 1734->1784 1735->1727 1739 2ebb303-2ebb305 1737->1739 1740 2ebb2e1-2ebb2e6 1737->1740 1738->1737 1744 2ebb308-2ebb30f 1739->1744 1742 2ebb2e8-2ebb2ef call 2ebac10 1740->1742 1743 2ebb2f1 1740->1743 1741 2ebb25c-2ebb25e 1741->1735 1745 2ebb3a0-2ebb3b9 1741->1745 1746 2ebb2f3-2ebb301 1742->1746 1743->1746 1748 2ebb31c-2ebb323 1744->1748 1749 2ebb311-2ebb319 1744->1749 1759 2ebb3bb-2ebb418 1745->1759 1746->1744 1751 2ebb330-2ebb339 call 2ebac20 1748->1751 1752 2ebb325-2ebb32d 1748->1752 1749->1748 1757 2ebb33b-2ebb343 1751->1757 1758 2ebb346-2ebb34b 1751->1758 1752->1751 1757->1758 1760 2ebb369-2ebb376 1758->1760 1761 2ebb34d-2ebb354 1758->1761 1777 2ebb41a-2ebb460 1759->1777 1768 2ebb399-2ebb39f 1760->1768 1769 2ebb378-2ebb396 1760->1769 1761->1760 1763 2ebb356-2ebb366 call 2ebac30 call 2ebac40 1761->1763 1763->1760 1769->1768 1778 2ebb468-2ebb493 GetModuleHandleW 1777->1778 1779 2ebb462-2ebb465 1777->1779 1780 2ebb49c-2ebb4b0 1778->1780 1781 2ebb495-2ebb49b 1778->1781 1779->1778 1781->1780 1783->1741 1784->1741
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02EBB486
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1761560734.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2eb0000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: 1f7a2bb698c024ac2a0c4ea0d1a794c2f38f3cb71a8a3b519c91570983a8b386
                                                                                        • Instruction ID: 57189aa33773f117bfe46b45832844d9c17be322eb3af4fc310c9831165a9620
                                                                                        • Opcode Fuzzy Hash: 1f7a2bb698c024ac2a0c4ea0d1a794c2f38f3cb71a8a3b519c91570983a8b386
                                                                                        • Instruction Fuzzy Hash: 04813370A00B458FDB65DF6AD44079BBBF1BF88308F008A6DD48AD7A50DB74E845CB90

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1785 2eb4610-2eb5ef1 CreateActCtxA 1788 2eb5efa-2eb5f54 1785->1788 1789 2eb5ef3-2eb5ef9 1785->1789 1796 2eb5f63-2eb5f67 1788->1796 1797 2eb5f56-2eb5f59 1788->1797 1789->1788 1798 2eb5f69-2eb5f75 1796->1798 1799 2eb5f78 1796->1799 1797->1796 1798->1799 1801 2eb5f79 1799->1801 1801->1801
                                                                                        APIs
                                                                                        • CreateActCtxA.KERNEL32(?), ref: 02EB5EE1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1761560734.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2eb0000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: 50a0137212509ce451ebb162f33179a71f5268394a71fd84c17969fe1c94234b
                                                                                        • Instruction ID: 8424fabdf209a0f937ca6b341e412715f97519702037e7378fb499345b651e77
                                                                                        • Opcode Fuzzy Hash: 50a0137212509ce451ebb162f33179a71f5268394a71fd84c17969fe1c94234b
                                                                                        • Instruction Fuzzy Hash: 4641CEB0C0061DCADB25CFAAC984BDEBBB5FF48304F60846AD509AB251DBB56945CF90

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1802 2eb5e24-2eb5e27 1803 2eb5e34-2eb5ef1 CreateActCtxA 1802->1803 1805 2eb5efa-2eb5f54 1803->1805 1806 2eb5ef3-2eb5ef9 1803->1806 1813 2eb5f63-2eb5f67 1805->1813 1814 2eb5f56-2eb5f59 1805->1814 1806->1805 1815 2eb5f69-2eb5f75 1813->1815 1816 2eb5f78 1813->1816 1814->1813 1815->1816 1818 2eb5f79 1816->1818 1818->1818
                                                                                        APIs
                                                                                        • CreateActCtxA.KERNEL32(?), ref: 02EB5EE1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1761560734.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2eb0000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: 84f58ffe46be2fd3e057a9b9897b31847722158f14267233da1d87f9e89effd3
                                                                                        • Instruction ID: 9220dae84371bcebe53212124dbfc454a9ba3b678686d13210faeba31cb947c1
                                                                                        • Opcode Fuzzy Hash: 84f58ffe46be2fd3e057a9b9897b31847722158f14267233da1d87f9e89effd3
                                                                                        • Instruction Fuzzy Hash: C841FFB0C00619CEDB25CFAAC984BCEBBB5BF48304F6080AAD409AB251DBB56945CF50

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1819 56345b2-56345b9 1820 5634616-5634644 1819->1820 1821 56345bb-56345d6 1819->1821 1822 5634646-563464c 1820->1822 1823 563464f-563465e 1820->1823 1824 56345dd-56345df 1821->1824 1825 56345d8 call 5632ffc 1821->1825 1822->1823 1826 5634663-563469c DrawTextExW 1823->1826 1827 5634660 1823->1827 1825->1824 1828 56346a5-56346c2 1826->1828 1829 563469e-56346a4 1826->1829 1827->1826 1829->1828
                                                                                        APIs
                                                                                        • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0563468F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1764346896.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_5630000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: DrawText
                                                                                        • String ID:
                                                                                        • API String ID: 2175133113-0
                                                                                        • Opcode ID: 21d38faa391f6576c668e2417bf628979a3dc151ddb2c13a8ae94ee27cb62bfa
                                                                                        • Instruction ID: bffc260948f39e061e7ae8ea9f71eb7a5433d1aab8a9bde87cb1f001e50329e2
                                                                                        • Opcode Fuzzy Hash: 21d38faa391f6576c668e2417bf628979a3dc151ddb2c13a8ae94ee27cb62bfa
                                                                                        • Instruction Fuzzy Hash: FD3106B6900209AFDF00CF99D884ADEBBF5EF58320F24841AE915A7310C775A550DBA0
                                                                                        APIs
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09037660
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3559483778-0
                                                                                        • Opcode ID: 21659f1f3715777bc7121cf0be85e4b38feffff5c564f3a4a75136fc671a67e5
                                                                                        • Instruction ID: 1ed9cc26b351d813fd85e219122ee3b794da08cae0808a592ef0abfddfe69b60
                                                                                        • Opcode Fuzzy Hash: 21659f1f3715777bc7121cf0be85e4b38feffff5c564f3a4a75136fc671a67e5
                                                                                        • Instruction Fuzzy Hash: 782148B59003499FCB10CFAAC985BEEBBF5FF48310F54882AE959A7240C7789545DBA0
                                                                                        APIs
                                                                                        • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0563468F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1764346896.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_5630000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: DrawText
                                                                                        • String ID:
                                                                                        • API String ID: 2175133113-0
                                                                                        • Opcode ID: 4d5d246c72c5df312502f419d8ca1cd03279f8609f2a560187fe30053d78d648
                                                                                        • Instruction ID: 9538e444ea620cad3aac7d6ef67e685e86011815010fbca77b34cf4dfb7ec11d
                                                                                        • Opcode Fuzzy Hash: 4d5d246c72c5df312502f419d8ca1cd03279f8609f2a560187fe30053d78d648
                                                                                        • Instruction Fuzzy Hash: FA31E0B59012099FDB10CF9AD884ADEFBF5FB48320F24842AE819A7310D775A944CFA0
                                                                                        APIs
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09037660
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3559483778-0
                                                                                        • Opcode ID: e01aded99c8063c66acd8acb34dae7171e9629168be9c1e65b165aff4256d5e6
                                                                                        • Instruction ID: d42f2643dffb5c921deb40edb5b2a01ff80f4399ea8b8849841b557421929893
                                                                                        • Opcode Fuzzy Hash: e01aded99c8063c66acd8acb34dae7171e9629168be9c1e65b165aff4256d5e6
                                                                                        • Instruction Fuzzy Hash: 0B212AB19003499FDB10CFAAC885BDEBBF5FF48310F50882AE919A7240C7789540DBA4
                                                                                        APIs
                                                                                        • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0563468F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1764346896.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_5630000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: DrawText
                                                                                        • String ID:
                                                                                        • API String ID: 2175133113-0
                                                                                        • Opcode ID: 5683f32a1cc53d6a7f705388aaa3ca2ea2844eb412f480dae1aca0b560492f9e
                                                                                        • Instruction ID: fa7b64abf8a6becccb17de875edd200d2f219d9ee8966dd2dcd8606d69d5f3e5
                                                                                        • Opcode Fuzzy Hash: 5683f32a1cc53d6a7f705388aaa3ca2ea2844eb412f480dae1aca0b560492f9e
                                                                                        • Instruction Fuzzy Hash: 8221C0B59002099FDB10CF9AD884A9EFBF5BB48320F24842AE819A7710D775A944CFA0
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 09039EE5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost
                                                                                        • String ID:
                                                                                        • API String ID: 410705778-0
                                                                                        • Opcode ID: a8407e73aa72586dc5eb6c6c36183807bb3f01732275e9d93d6f20604b47a9a1
                                                                                        • Instruction ID: 55b9bd91f346266d541cfbf4e2ca7a1ca4581db804fb63b80a95aeb0d1acb786
                                                                                        • Opcode Fuzzy Hash: a8407e73aa72586dc5eb6c6c36183807bb3f01732275e9d93d6f20604b47a9a1
                                                                                        • Instruction Fuzzy Hash: A1217AB6800349CEDB20CF9AD584BDEFFF8EB48324F24880AD558A3600C375A584CFA1
                                                                                        APIs
                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 090374B6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: ContextThreadWow64
                                                                                        • String ID:
                                                                                        • API String ID: 983334009-0
                                                                                        • Opcode ID: ef1a848375c9f70cc30dca68cf007097ead4dd5bcaac195e25383eed9221072a
                                                                                        • Instruction ID: 6a718b94f5bf884b8bbeb5a2bd318a04e80cfa941aa1a87672e5884ce9a63bb7
                                                                                        • Opcode Fuzzy Hash: ef1a848375c9f70cc30dca68cf007097ead4dd5bcaac195e25383eed9221072a
                                                                                        • Instruction Fuzzy Hash: 792148B19003099FDB10DFAAC4817EEBFF9AF88324F54C42AD559A7241C778A945CFA1
                                                                                        APIs
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09037B40
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessRead
                                                                                        • String ID:
                                                                                        • API String ID: 1726664587-0
                                                                                        • Opcode ID: f51485c5cdae7ab802abf879c454f6603c736f7b6daf4a116b1e23799edf6cc6
                                                                                        • Instruction ID: 18dc6a87c8d48bf509958131d7737ca18852c16213c0dcce156691451477b5c0
                                                                                        • Opcode Fuzzy Hash: f51485c5cdae7ab802abf879c454f6603c736f7b6daf4a116b1e23799edf6cc6
                                                                                        • Instruction Fuzzy Hash: 8B2116B18003499FDB10CFAAC881AEEFBF5FF48320F50842AE559A7240C7789540DBA5
                                                                                        APIs
                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 090374B6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: ContextThreadWow64
                                                                                        • String ID:
                                                                                        • API String ID: 983334009-0
                                                                                        • Opcode ID: 130f375657fe33878e42dd0345e1f97020e4cc769c3842a337e19b98c7e8bd61
                                                                                        • Instruction ID: cbabfd4508ec989d98eb9c0368f7bd2400433ee1693f2075420a89b0ce29d535
                                                                                        • Opcode Fuzzy Hash: 130f375657fe33878e42dd0345e1f97020e4cc769c3842a337e19b98c7e8bd61
                                                                                        • Instruction Fuzzy Hash: F92137B19003098FDB10DFAAC4857EEBFF9AF48324F54C42AD559A7240C778A944CFA1
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02EBD787
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1761560734.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2eb0000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: e3d397535f92c25319bb2589d8aaec0b1ee97ba3167eec5d31704639d79c51a3
                                                                                        • Instruction ID: aa7a5a1bc2437c8b08d443c64c1026f4f61345009fb09555660f4895cbd8abd5
                                                                                        • Opcode Fuzzy Hash: e3d397535f92c25319bb2589d8aaec0b1ee97ba3167eec5d31704639d79c51a3
                                                                                        • Instruction Fuzzy Hash: 812103B5900209DFDB11CFAAD984AEEBFF4EF08320F14845AE958B7210C378A951CF60
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02EBD787
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1761560734.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2eb0000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 2af8bc38e4b8abd34fbd7cd36678391ca2c4ff1040e3d778580a1f4731be558d
                                                                                        • Instruction ID: 3ad7bc60e1ce046a4f6ad94d7ca5ad819b3d632330803afbb541ff2c3d0d5074
                                                                                        • Opcode Fuzzy Hash: 2af8bc38e4b8abd34fbd7cd36678391ca2c4ff1040e3d778580a1f4731be558d
                                                                                        • Instruction Fuzzy Hash: 1A21E4B59002089FDB10CF9AD984ADEBFF8EF48320F14841AE918A3310C378A950CFA0
                                                                                        APIs
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09037B40
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessRead
                                                                                        • String ID:
                                                                                        • API String ID: 1726664587-0
                                                                                        • Opcode ID: 41587e7cd511d3e23299d8b2ba75aa3472121ab1586116980f2d17aa56d218aa
                                                                                        • Instruction ID: da0e6a7341bee39d92a67add1e5eabf87c30999ae1f8f90da3b16e290ee76113
                                                                                        • Opcode Fuzzy Hash: 41587e7cd511d3e23299d8b2ba75aa3472121ab1586116980f2d17aa56d218aa
                                                                                        • Instruction Fuzzy Hash: 1F2125B1D002499FDB10CFAAC981BEEFBF5FF48320F54882AE559A7250C7789940DB64
                                                                                        APIs
                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0903757E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 4acf55f54d0b49a4bb9ea7001c135e97edee3857310373a1cb0a4502db830c21
                                                                                        • Instruction ID: cba5899fd85528f46e2d363626dbe05afa22d4f6fdfac4eb44558636373efbf4
                                                                                        • Opcode Fuzzy Hash: 4acf55f54d0b49a4bb9ea7001c135e97edee3857310373a1cb0a4502db830c21
                                                                                        • Instruction Fuzzy Hash: A51159B29002499FCB14CFAAC944ADFBFF9EF88320F24881AE519A7650C7759540CFA0
                                                                                        APIs
                                                                                        • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07865A6A,?,?,?,?,?), ref: 07865B0F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1766941378.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1766812398.0000000007850000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7850000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFromIconResource
                                                                                        • String ID:
                                                                                        • API String ID: 3668623891-0
                                                                                        • Opcode ID: c3435005cfa1f3f6b6dc112f2ee82852a8ea48eb421b29bc34e0fba2140f3532
                                                                                        • Instruction ID: 16ef8cc53f6cdd0fa49f82c6b828ff17752f6efa708a34cd611f28a067b6e079
                                                                                        • Opcode Fuzzy Hash: c3435005cfa1f3f6b6dc112f2ee82852a8ea48eb421b29bc34e0fba2140f3532
                                                                                        • Instruction Fuzzy Hash: 871137B1900349AFDB10CF9AC885BEEBFF8EB58320F14841AE915A7250C375A954DFA4
                                                                                        APIs
                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0903757E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 8ee573736521373780a6798f1a990ecaa832fae5ff8297e06d22a45069711172
                                                                                        • Instruction ID: 19c7412123aebd7e27be11117388d63692e5f723d53052a0554a9cf0f574109e
                                                                                        • Opcode Fuzzy Hash: 8ee573736521373780a6798f1a990ecaa832fae5ff8297e06d22a45069711172
                                                                                        • Instruction Fuzzy Hash: 5C116AB19003099FCB10CFAAC845ADFBFF9EF48320F148819E519A7250C7759540CFA1
                                                                                        APIs
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09037660
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3559483778-0
                                                                                        • Opcode ID: 03db186ec0b09e84418677a8ad5638e3fcd19dad91f44d4abf1d6210bdcfd07d
                                                                                        • Instruction ID: c2a791fdaa11e3f0a754b3ff3f914e9bfe563fe3f3e805b1770e9cce1c36534c
                                                                                        • Opcode Fuzzy Hash: 03db186ec0b09e84418677a8ad5638e3fcd19dad91f44d4abf1d6210bdcfd07d
                                                                                        • Instruction Fuzzy Hash: 481166F2804205CFDB14CF6CD4687DDBBE8AF54368F64C81AD094EB292C7395442EBA1
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: ResumeThread
                                                                                        • String ID:
                                                                                        • API String ID: 947044025-0
                                                                                        • Opcode ID: 2099de7492c448a2a5492c25dc4d189519dbbcfe4865edf8f9ffd2dd6348bfc5
                                                                                        • Instruction ID: 0678e37ee967512421ba570b456da72b35040088e8263cc5e65f1bcb1c0588a0
                                                                                        • Opcode Fuzzy Hash: 2099de7492c448a2a5492c25dc4d189519dbbcfe4865edf8f9ffd2dd6348bfc5
                                                                                        • Instruction Fuzzy Hash: D01158B19002498EDB20DFAAC5457EEFFF9AF98324F24881AD519A7340C7759545CFA0
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: ResumeThread
                                                                                        • String ID:
                                                                                        • API String ID: 947044025-0
                                                                                        • Opcode ID: 2a64766f0215b93aa4761c71f87033a40e884fcf869c3181bc4af0cd4dc3208a
                                                                                        • Instruction ID: d491b51724e8db61790e2a6ea01c36d3ead49b68e88b6b40c1cdc27c2beb387c
                                                                                        • Opcode Fuzzy Hash: 2a64766f0215b93aa4761c71f87033a40e884fcf869c3181bc4af0cd4dc3208a
                                                                                        • Instruction Fuzzy Hash: A31128B19003498FDB20DFAAC4457DEFFF9AB98324F24881AD519A7240C775A544CBA5
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02EBB486
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1761560734.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2eb0000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: 7ce1e8473edef88f9e5004dd8926a1b89fde7351ec77d2ba4f09e7664d89a2de
                                                                                        • Instruction ID: d3245dc525e1d72a3749eb65ecffd6c06fac9eea9ee462e707ab7bf3013a6735
                                                                                        • Opcode Fuzzy Hash: 7ce1e8473edef88f9e5004dd8926a1b89fde7351ec77d2ba4f09e7664d89a2de
                                                                                        • Instruction Fuzzy Hash: 4D11CDB5C002498EDB20CF9AC944ADEFBF8AF88328F14C45AD859A7610D379A545CFA1
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 09039EE5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost
                                                                                        • String ID:
                                                                                        • API String ID: 410705778-0
                                                                                        • Opcode ID: eb3135ff9a55542cee8daa85f5c4c8a1f1f7ffea40327c6d2e0bf9c023085f3f
                                                                                        • Instruction ID: 6f19ae749c6fe3cf1d2aedf95a4a815a1fc15b384edda47e8a05da9c66315f3d
                                                                                        • Opcode Fuzzy Hash: eb3135ff9a55542cee8daa85f5c4c8a1f1f7ffea40327c6d2e0bf9c023085f3f
                                                                                        • Instruction Fuzzy Hash: 71110AB5800349DFDB10CF9AC585BDEBBF8EB58320F20885AE955A7600C375A944CFA1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1760846955.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_131d000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7d75bfd3947ee71b2e1c0b8484ee107df5ce00f5c8dd47c0ab34f6cb67d5d600
                                                                                        • Instruction ID: ec7410b75ae3dd20397107707be77382757960c46bfd8e8f0b7d60b49dca0416
                                                                                        • Opcode Fuzzy Hash: 7d75bfd3947ee71b2e1c0b8484ee107df5ce00f5c8dd47c0ab34f6cb67d5d600
                                                                                        • Instruction Fuzzy Hash: F8216DB1144204DFDB09DF44D5C4B56BF65FB88318F20C56DE90A1B25ACB36E446C7A1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1760888884.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_132d000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 13a4680042ed7488eb9bc5e6a2e05a1433bed6ce4a60d06912ba042b4118314c
                                                                                        • Instruction ID: bc8e9627c3e1dd5968a84b73133637c94799d6b94ed5e5fb19b31b6deb429fa8
                                                                                        • Opcode Fuzzy Hash: 13a4680042ed7488eb9bc5e6a2e05a1433bed6ce4a60d06912ba042b4118314c
                                                                                        • Instruction Fuzzy Hash: 822146B1504304EFDB05EF98D9C0B26BBA9FB85328F20C96DE9094B252C336D406CB61
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1760888884.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_132d000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1d9fdfbc8e6add992e4fe19b76db868398f06be7aaa15f9e064e9c11989f7134
                                                                                        • Instruction ID: c42cde8d5683b0c0220f91c5975c75536f77cf435f9915aea30347c128c5a061
                                                                                        • Opcode Fuzzy Hash: 1d9fdfbc8e6add992e4fe19b76db868398f06be7aaa15f9e064e9c11989f7134
                                                                                        • Instruction Fuzzy Hash: C82134B1604244DFCB15EF58D9C0B26BF65FB84358F20C96DE90A4B2A6C33AD407CAA1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1760888884.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_132d000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 403895911c32f892d6bbbfeb733f0366157c495aa7e5b6e99ef153770775d13f
                                                                                        • Instruction ID: ad5d38c6a597441934ab2f9a322f951461fc67e42d5bf6a36a57ff8179002d9c
                                                                                        • Opcode Fuzzy Hash: 403895911c32f892d6bbbfeb733f0366157c495aa7e5b6e99ef153770775d13f
                                                                                        • Instruction Fuzzy Hash: AD2180755083809FCB13DF64D994B11BF71EB46218F28C5DAD8498F2A7C33A985ACB62
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1760846955.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_131d000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                        • Instruction ID: c7546c8217342695ec36562a04f625e9103f6307b781b862e49dbb78a0e56cbf
                                                                                        • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                        • Instruction Fuzzy Hash: 9C112672444240CFDB16CF44D5C4B56BF72FB84328F24C6A9D9090B65BC73AE45ACBA1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1760888884.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_132d000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                        • Instruction ID: a604d122d4cd01210d2180a006dd356421e1b879886997317738e875cac00ae6
                                                                                        • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                        • Instruction Fuzzy Hash: BC11BB75504380DFDB12DF54D5C0B15BBB2FB85228F24C6AAD8494B696C33AD44ACB61
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1766812398.0000000007850000.00000004.08000000.00040000.00000000.sdmp, Offset: 07850000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1766941378.0000000007860000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7850000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e5040a46358f2346cb87d89f51ae6deab5fd9d69999703b9c79b85ecd432504c
                                                                                        • Instruction ID: 6d74f7046fe577564a28355b4d1f81e60cb91b6d6af71093f91dc9bf97df7fde
                                                                                        • Opcode Fuzzy Hash: e5040a46358f2346cb87d89f51ae6deab5fd9d69999703b9c79b85ecd432504c
                                                                                        • Instruction Fuzzy Hash: 80A2B27148E3C18FC7578B7088B55817FB0AE1322475E85EFD4C58E4A3E3AE585ACB62
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9a889d1c758640b68200053c96994d71c049fcc87ca04a5147fef1ad6af52513
                                                                                        • Instruction ID: 51f7de163a33735f952e29f00ac505e513a673a509832330698020f2daef8ec7
                                                                                        • Opcode Fuzzy Hash: 9a889d1c758640b68200053c96994d71c049fcc87ca04a5147fef1ad6af52513
                                                                                        • Instruction Fuzzy Hash: E5E10974E042598FCB14CFA9C5909AEBBB2FF89304F24D569E815AB365C734AD42CF60
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0b3716e63379e812387daaba622ee2e138eb23a85b683565790dcb4ce9b5dd24
                                                                                        • Instruction ID: 7eec12d79a14b02acf4b69569ae836b484b159aee9033ddf3758f34225df64d8
                                                                                        • Opcode Fuzzy Hash: 0b3716e63379e812387daaba622ee2e138eb23a85b683565790dcb4ce9b5dd24
                                                                                        • Instruction Fuzzy Hash: 96E1F874E001198FCB14CFA9C5809AEBBB2FF89304F64D569E819AB365D735A941CFA0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3329519fc9760042d08589653c9dd451a11a2f6b11f2f1697600632b61d3134e
                                                                                        • Instruction ID: a942dcda0bde5c6e15eab7129d5894b906fce21173d45590db7043d5b35864a5
                                                                                        • Opcode Fuzzy Hash: 3329519fc9760042d08589653c9dd451a11a2f6b11f2f1697600632b61d3134e
                                                                                        • Instruction Fuzzy Hash: 91E105B4E001198FCB14CFA9C5809AEBBF6FF89304F24D569E815AB355D734A982CF60
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 99c557e7e8562241869285802bf80fc866addf1302e0b90edd13a29759f911a3
                                                                                        • Instruction ID: f68e6373839e783c1b7293b7b03482995df683486e1c76f2d73477965cd7ba1f
                                                                                        • Opcode Fuzzy Hash: 99c557e7e8562241869285802bf80fc866addf1302e0b90edd13a29759f911a3
                                                                                        • Instruction Fuzzy Hash: 58E1F874E041198FCB14CFA9C5909AEBBF2FF89304F24D569E819AB355D734A982CF60
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 33d3bed89fbbf8a9a8037cbd8e9c19db263d3f75a0d9045a06294601532da965
                                                                                        • Instruction ID: 822cd721cf19a0350df456f678545d27daadf3f27c05c24cde82a3487c9046d1
                                                                                        • Opcode Fuzzy Hash: 33d3bed89fbbf8a9a8037cbd8e9c19db263d3f75a0d9045a06294601532da965
                                                                                        • Instruction Fuzzy Hash: DAE10774E005199FCB14CFA9C5819AEBBF2FF89304F24C669E815AB355C735A982CF60
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1764346896.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_5630000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6e53d0d673a7e68488963691a82827580c468446521c7cff22ed27ddb12959ce
                                                                                        • Instruction ID: e46d57474f439ccb6a5cb59addd16955eeb3ca9f7c8f5352cd8b31e89963dd0f
                                                                                        • Opcode Fuzzy Hash: 6e53d0d673a7e68488963691a82827580c468446521c7cff22ed27ddb12959ce
                                                                                        • Instruction Fuzzy Hash: 6FD1F43582475ACACB10EF64D990699BBB1FF95300F60DB9AE00937225EF706AC4CF91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1761560734.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2eb0000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d580ce3dfdd977936b9d26978db9510e2f4efc1c50e7b1e40434e9553a75fbf8
                                                                                        • Instruction ID: 97f4b5be35cff2be04e677b61c1ecee0c3ee6c274a000f99aeb1a73e055819f4
                                                                                        • Opcode Fuzzy Hash: d580ce3dfdd977936b9d26978db9510e2f4efc1c50e7b1e40434e9553a75fbf8
                                                                                        • Instruction Fuzzy Hash: 37A14B32E402198FCF0ADFB5C8405DEB7B2FF85304B6595AAE805AB265DB31E915CF90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1764346896.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_5630000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a69c52d0edb1e49d0503308b56bd94ca9d2cf2288049151eacb3b6f73fe61ac0
                                                                                        • Instruction ID: 3afb587061b8053e4efbd568b7d97b513674cadfd104163e40c7af7147885866
                                                                                        • Opcode Fuzzy Hash: a69c52d0edb1e49d0503308b56bd94ca9d2cf2288049151eacb3b6f73fe61ac0
                                                                                        • Instruction Fuzzy Hash: FFD1E43182475ACACB14EF64D990699BBB1FF95300F60DB9AE00937225EF746AC4CF91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4eb2c7eefc65f93b73fc9d4149aaf07ce6623bdd37481322e51ebca03d42a97c
                                                                                        • Instruction ID: 869c936867c6586f3adb072221e2bff69ccff775c02eb58aadfc182900a69218
                                                                                        • Opcode Fuzzy Hash: 4eb2c7eefc65f93b73fc9d4149aaf07ce6623bdd37481322e51ebca03d42a97c
                                                                                        • Instruction Fuzzy Hash: 8051FA74E002198FCB14CFA9C9405AEBBF6FF89305F24C569E419AB265D7359A42CFA0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 52c5bf7335a6fedd154dfbee8af0e2a385295ced67ac03c9233d018bdfc98994
                                                                                        • Instruction ID: e9bb648e888d0fa3d0dff869c31295be4ca4e69ccb9657f50b09781ff95f98b7
                                                                                        • Opcode Fuzzy Hash: 52c5bf7335a6fedd154dfbee8af0e2a385295ced67ac03c9233d018bdfc98994
                                                                                        • Instruction Fuzzy Hash: 37511975E002198BCB14CFA9C5415AEFBF2BF89304F24C66AD419AB355D7359A42CFA0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b2a5e1e494cbc87110509cc78f6e95adcdc67a1c79fb58b24bcbff7860d23de4
                                                                                        • Instruction ID: 8d6a151c1398b80480092d36c0f13d384403a2abf668deb5778fc0fe265dd4e3
                                                                                        • Opcode Fuzzy Hash: b2a5e1e494cbc87110509cc78f6e95adcdc67a1c79fb58b24bcbff7860d23de4
                                                                                        • Instruction Fuzzy Hash: 6F512974E042198FCB14CFA9C9805AEFBF2FF89305F24C569E419AB255D7349A42CFA1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7cfb35f6d7046dce8ae1cccf5c42005a367081a4ff42ea57cf15250fe77af0f4
                                                                                        • Instruction ID: 983160f62136d2a4b9d7b48966b8deb7dcfa63198dc2a29bb7f34ecbfcfd9d77
                                                                                        • Opcode Fuzzy Hash: 7cfb35f6d7046dce8ae1cccf5c42005a367081a4ff42ea57cf15250fe77af0f4
                                                                                        • Instruction Fuzzy Hash: 1F510874E002198BCB14CFAAC5805AEFBF6FF89304F24C569D819AB325D7349A42CF61
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1768180515.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_9030000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 63af1a44f689ba229dd9693eae7a612ce532625bbe7b78ad6113f7ce22654c01
                                                                                        • Instruction ID: 072f399a667bc8e18b3f071c1bd6bc90fe69904687604dececed45563f3c23c8
                                                                                        • Opcode Fuzzy Hash: 63af1a44f689ba229dd9693eae7a612ce532625bbe7b78ad6113f7ce22654c01
                                                                                        • Instruction Fuzzy Hash: E521D771D056688BEB18CF6B98047DDBAF7BFC9301F04C5AAD90CA6255DB340A858E40
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1761560734.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2eb0000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 06218a6b67a74a3915561226b5d01fe4ff1763ea7cfae36db2ade9969f279b36
                                                                                        • Instruction ID: 44449daa09f39c6391011ee29be90d414e568681211964364f96f87bd78ae9c3
                                                                                        • Opcode Fuzzy Hash: 06218a6b67a74a3915561226b5d01fe4ff1763ea7cfae36db2ade9969f279b36
                                                                                        • Instruction Fuzzy Hash: 2E010C66E193D08BE3D769B902360EB7FEACD9201939604D9EFC919333D50A4843D755

                                                                                        Execution Graph

                                                                                        Execution Coverage:17.5%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:6.7%
                                                                                        Total number of Nodes:60
                                                                                        Total number of Limit Nodes:9
                                                                                        execution_graph 32221 14b4668 32222 14b4684 32221->32222 32223 14b4696 32222->32223 32225 14b47a0 32222->32225 32226 14b47c5 32225->32226 32230 14b48a1 32226->32230 32234 14b48b0 32226->32234 32231 14b48b0 32230->32231 32233 14b49b4 32231->32233 32238 14b4248 32231->32238 32235 14b48d7 32234->32235 32236 14b4248 CreateActCtxA 32235->32236 32237 14b49b4 32235->32237 32236->32237 32239 14b5940 CreateActCtxA 32238->32239 32241 14b5a03 32239->32241 32242 14bad38 32245 14bae30 32242->32245 32243 14bad47 32246 14bae64 32245->32246 32248 14bae41 32245->32248 32246->32243 32247 14bb068 GetModuleHandleW 32249 14bb095 32247->32249 32248->32246 32248->32247 32249->32243 32250 14bd0b8 32251 14bd0fe GetCurrentProcess 32250->32251 32253 14bd149 32251->32253 32254 14bd150 GetCurrentThread 32251->32254 32253->32254 32255 14bd18d GetCurrentProcess 32254->32255 32256 14bd186 32254->32256 32257 14bd1c3 32255->32257 32256->32255 32258 14bd1eb GetCurrentThreadId 32257->32258 32259 14bd21c 32258->32259 32208 6c45590 32209 6c455b7 32208->32209 32210 6c4563d 32209->32210 32213 6c46a00 32209->32213 32217 6c47ef1 32209->32217 32216 6c46a3d 32213->32216 32214 6c47edb 32215 6c4738e LdrInitializeThunk 32215->32216 32216->32214 32216->32215 32218 6c47edb 32217->32218 32220 6c46b70 32217->32220 32219 6c4738e LdrInitializeThunk 32219->32220 32220->32218 32220->32219 32260 6c4d531 32261 6c4d4cc 32260->32261 32263 6c4d53a 32260->32263 32265 6c4e5d0 32261->32265 32262 6c4d4ed 32266 6c4e618 32265->32266 32267 6c4e621 32266->32267 32269 6c4e318 32266->32269 32267->32262 32271 6c4e718 LoadLibraryW 32269->32271 32272 6c4e78d 32271->32272 32272->32267 32199 7216ca8 32200 7216e33 32199->32200 32202 7216cce 32199->32202 32202->32200 32203 7213568 32202->32203 32204 7216f28 PostMessageW 32203->32204 32205 7216f94 32204->32205 32205->32202 32206 14bd300 DuplicateHandle 32207 14bd396 32206->32207

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 418 6c46a00-6c46a3b 419 6c46a42-6c46ade 418->419 420 6c46a3d 418->420 423 6c46b30-6c46b6b 419->423 424 6c46ae0-6c46b2a 419->424 420->419 429 6c47ebc-6c47ed5 423->429 424->423 432 6c46b70-6c46cc6 429->432 433 6c47edb-6c47f01 429->433 659 6c46ccc call 6c47fa8 432->659 660 6c46ccc call 6c47fb8 432->660 436 6c47f10 433->436 437 6c47f03-6c47f0f 433->437 440 6c47f11 436->440 437->436 440->440 449 6c46cd2-6c46d00 451 6c47e74-6c47e8e 449->451 453 6c47e94-6c47eb8 451->453 454 6c46d05-6c46e49 451->454 453->429 470 6c46e7c-6c46ec3 454->470 471 6c46e4b-6c46e77 454->471 477 6c46ec5-6c46ee7 470->477 478 6c46ee9-6c46ef8 470->478 474 6c46f0b-6c470c3 471->474 499 6c47115-6c47120 474->499 500 6c470c5-6c4710f 474->500 482 6c46efe-6c46f0a 477->482 478->482 482->474 671 6c47126 call 6c48af0 499->671 672 6c47126 call 6c48ae1 499->672 500->499 502 6c4712c-6c47190 507 6c471e2-6c471ed 502->507 508 6c47192-6c471dc 502->508 665 6c471f3 call 6c48af0 507->665 666 6c471f3 call 6c48ae1 507->666 508->507 510 6c471f9-6c4725c 515 6c472ae-6c472b9 510->515 516 6c4725e-6c472a8 510->516 663 6c472bf call 6c48af0 515->663 664 6c472bf call 6c48ae1 515->664 516->515 518 6c472c5-6c472fe 521 6c47304-6c47367 518->521 522 6c47777-6c477fe 518->522 530 6c4736e-6c473c0 LdrInitializeThunk call 6c46794 521->530 531 6c47369 521->531 533 6c47800-6c47856 522->533 534 6c4785c-6c47867 522->534 542 6c473c5-6c474ed call 6c45aa0 call 6c463f0 call 6c44144 call 6c44154 530->542 531->530 533->534 667 6c4786d call 6c48af0 534->667 668 6c4786d call 6c48ae1 534->668 538 6c47873-6c47900 552 6c47902-6c47958 538->552 553 6c4795e-6c47969 538->553 574 6c474f3-6c47545 542->574 575 6c4775a-6c47776 542->575 552->553 661 6c4796f call 6c48af0 553->661 662 6c4796f call 6c48ae1 553->662 555 6c47975-6c479ed 567 6c479ef-6c47a45 555->567 568 6c47a4b-6c47a56 555->568 567->568 657 6c47a5c call 6c48af0 568->657 658 6c47a5c call 6c48ae1 568->658 571 6c47a62-6c47ace 586 6c47b20-6c47b2b 571->586 587 6c47ad0-6c47b1a 571->587 584 6c47597-6c47612 574->584 585 6c47547-6c47591 574->585 575->522 600 6c47664-6c476de 584->600 601 6c47614-6c4765e 584->601 585->584 669 6c47b31 call 6c48af0 586->669 670 6c47b31 call 6c48ae1 586->670 587->586 588 6c47b37-6c47b7c 602 6c47cb2-6c47e5b 588->602 603 6c47b82-6c47cb1 588->603 617 6c47730-6c47759 600->617 618 6c476e0-6c4772a 600->618 601->600 654 6c47e73 602->654 655 6c47e5d-6c47e72 602->655 603->602 617->575 618->617 654->451 655->654 657->571 658->571 659->449 660->449 661->555 662->555 663->518 664->518 665->510 666->510 667->538 668->538 669->588 670->588 671->502 672->502
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2010746580.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_6c40000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: s%$+
                                                                                        • API String ID: 0-4147541561
                                                                                        • Opcode ID: 26098e0b63761febe67fe872e299a4b136c9da7f6a1da2b2c17a186a415d6a23
                                                                                        • Instruction ID: 974362f14021c3b37b4d6ec38d378c2ba1e7bbe8bd8d3a30421ee9544c298ff7
                                                                                        • Opcode Fuzzy Hash: 26098e0b63761febe67fe872e299a4b136c9da7f6a1da2b2c17a186a415d6a23
                                                                                        • Instruction Fuzzy Hash: 4BC28E74A012299FCBA5EF28D998B9DB7B2FF49301F1085E9D80DA7254DB346E81CF50

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 717 72157c0-72157e0 718 72157e2 717->718 719 72157e7-72158dc 717->719 718->719 728 72158e3-7215911 719->728 729 72158de 719->729 731 7215cb9-7215cc2 728->731 729->728 732 7215916-721591f 731->732 733 7215cc8-7215d4a 731->733 734 7215921 732->734 735 7215926-7215a05 732->735 747 7215d51-7215d7f 733->747 748 7215d4c 733->748 734->735 766 7215a0c-7215a40 735->766 752 721613c-7216145 747->752 748->747 753 7215d84-7215d8d 752->753 754 721614b-721617b 752->754 756 7215d94-7215e73 753->756 757 7215d8f 753->757 789 7215e7a-7215eae 756->789 757->756 769 7215be3-7215bf7 766->769 773 7215a45-7215add 769->773 774 7215bfd-7215c1a 769->774 791 7215af9 773->791 792 7215adf-7215af7 773->792 778 7215c29 774->778 779 7215c1c-7215c28 774->779 778->731 779->778 794 7216063-7216077 789->794 795 7215aff-7215b20 791->795 792->795 800 7215eb3-7215f51 794->800 801 721607d-721609a 794->801 798 7215bd2-7215be2 795->798 799 7215b26-7215ba1 795->799 798->769 817 7215ba3-7215bbb 799->817 818 7215bbd 799->818 821 7215f53-7215f6b 800->821 822 7215f6d 800->822 806 72160a9 801->806 807 721609c-72160a8 801->807 806->752 807->806 819 7215bc3-7215bd1 817->819 818->819 819->798 824 7215f73-7215f94 821->824 822->824 826 7215f9a-721601e 824->826 827 721604f-7216062 824->827 834 7216020-7216038 826->834 835 721603a 826->835 827->794 836 7216040-721604e 834->836 835->836 836->827
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2012820582.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7210000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $dq$$dq$$dq$$dq
                                                                                        • API String ID: 0-185584874
                                                                                        • Opcode ID: 253b17d383036af8a75cf1756b837040bd254a6096c9e85d5f3340a32a3139f6
                                                                                        • Instruction ID: 43a80c3425c1dbaa241301a7908791e540467d31a5a292fa51a8a6d5c80e7cff
                                                                                        • Opcode Fuzzy Hash: 253b17d383036af8a75cf1756b837040bd254a6096c9e85d5f3340a32a3139f6
                                                                                        • Instruction Fuzzy Hash: A432A0B4E11229CFDB68DF65C990BDEB7B2BB89300F5081E9C509AB250DB359E81CF50

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1184 6c48c68-6c48c9a 1185 6c48ca1-6c48d6d 1184->1185 1186 6c48c9c 1184->1186 1191 6c48d82 1185->1191 1192 6c48d6f-6c48d7d 1185->1192 1186->1185 1255 6c48d88 call 6c49692 1191->1255 1256 6c48d88 call 6c4973c 1191->1256 1257 6c48d88 call 6c496ae 1191->1257 1258 6c48d88 call 6c495d8 1191->1258 1259 6c48d88 call 6c49529 1191->1259 1193 6c49230-6c4923d 1192->1193 1194 6c48d8e-6c48e3e 1202 6c491bf-6c491e9 1194->1202 1204 6c48e43-6c49059 1202->1204 1205 6c491ef-6c4922e 1202->1205 1232 6c49065-6c490af 1204->1232 1205->1193 1235 6c490b7-6c490b9 1232->1235 1236 6c490b1 1232->1236 1239 6c490c0-6c490c7 1235->1239 1237 6c490b3-6c490b5 1236->1237 1238 6c490bb 1236->1238 1237->1235 1237->1238 1238->1239 1240 6c49141-6c49167 1239->1240 1241 6c490c9-6c49140 1239->1241 1243 6c49174-6c49180 1240->1243 1244 6c49169-6c49172 1240->1244 1241->1240 1246 6c49186-6c491a5 1243->1246 1244->1246 1250 6c491a7-6c491ba 1246->1250 1251 6c491bb-6c491bc 1246->1251 1250->1251 1251->1202 1255->1194 1256->1194 1257->1194 1258->1194 1259->1194
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2010746580.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_6c40000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: .$1
                                                                                        • API String ID: 0-1839485796
                                                                                        • Opcode ID: 7774bc66f54c0943306923c865f154bda3256fd37a6d01dd173a8d764585bf23
                                                                                        • Instruction ID: 1aae38aa1967e3df256161106d5a3176e817fac52603212d02e0f090b06d92ac
                                                                                        • Opcode Fuzzy Hash: 7774bc66f54c0943306923c865f154bda3256fd37a6d01dd173a8d764585bf23
                                                                                        • Instruction Fuzzy Hash: 0EF1CD74E01329CFDB68DF65C984B9DBBB2FF89301F1081A9D50AA7254DB359A81CF50
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2010746580.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_6c40000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: +#
                                                                                        • API String ID: 0-807803015
                                                                                        • Opcode ID: 927378772cf1d1e5a6aa5284c2702af3a5a45149a176ee4ab9cb71556d60e308
                                                                                        • Instruction ID: 29514e3e73363ea5865f174c063eaf3f60d4d012db8b22f489b58b540b6c1b37
                                                                                        • Opcode Fuzzy Hash: 927378772cf1d1e5a6aa5284c2702af3a5a45149a176ee4ab9cb71556d60e308
                                                                                        • Instruction Fuzzy Hash: 5991E374D01228CFDB64EFA9C984B9DBBB2FF49300F5081A9D409A7351EB31AA85CF51
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2010746580.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_6c40000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ef8ff0554bd24b4558792a556a7502df7d0d47792f7fe9ba931f96a0c323797a
                                                                                        • Instruction ID: fc66eede1a3a51633c0b371e397f8a733e42b6a6781ba2adc1ea80547b7b04dc
                                                                                        • Opcode Fuzzy Hash: ef8ff0554bd24b4558792a556a7502df7d0d47792f7fe9ba931f96a0c323797a
                                                                                        • Instruction Fuzzy Hash: B2229E74D012298FDBA4DF69C994BD9B7B2BF49300F5081EAD549A7250EB30AEC5CF80

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 673 14bd0a8-14bd147 GetCurrentProcess 677 14bd149-14bd14f 673->677 678 14bd150-14bd184 GetCurrentThread 673->678 677->678 679 14bd18d-14bd1c1 GetCurrentProcess 678->679 680 14bd186-14bd18c 678->680 682 14bd1ca-14bd1e5 call 14bd289 679->682 683 14bd1c3-14bd1c9 679->683 680->679 685 14bd1eb-14bd21a GetCurrentThreadId 682->685 683->682 687 14bd21c-14bd222 685->687 688 14bd223-14bd285 685->688 687->688
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 014BD136
                                                                                        • GetCurrentThread.KERNEL32 ref: 014BD173
                                                                                        • GetCurrentProcess.KERNEL32 ref: 014BD1B0
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 014BD209
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1990091550.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_14b0000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: dfa974fb05ad2e33705be12b4dc148b26d2daeb5d57e608feb661dac287ed0e4
                                                                                        • Instruction ID: bb45d3e5b4f941c207fe2e94f8dc1e35211fc575dd05a57f099e32af4a168f8d
                                                                                        • Opcode Fuzzy Hash: dfa974fb05ad2e33705be12b4dc148b26d2daeb5d57e608feb661dac287ed0e4
                                                                                        • Instruction Fuzzy Hash: 2F5159B09002498FDB14CFA9E988BDEBFF1AF48314F24845AE119A73A0DB745944CB65

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 695 14bd0b8-14bd147 GetCurrentProcess 699 14bd149-14bd14f 695->699 700 14bd150-14bd184 GetCurrentThread 695->700 699->700 701 14bd18d-14bd1c1 GetCurrentProcess 700->701 702 14bd186-14bd18c 700->702 704 14bd1ca-14bd1e5 call 14bd289 701->704 705 14bd1c3-14bd1c9 701->705 702->701 707 14bd1eb-14bd21a GetCurrentThreadId 704->707 705->704 709 14bd21c-14bd222 707->709 710 14bd223-14bd285 707->710 709->710
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 014BD136
                                                                                        • GetCurrentThread.KERNEL32 ref: 014BD173
                                                                                        • GetCurrentProcess.KERNEL32 ref: 014BD1B0
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 014BD209
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1990091550.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_14b0000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: 7ed353467d2a2010dba20543c5759693ceed97ac86c79845ee70221aa0c272d8
                                                                                        • Instruction ID: e31ef8b012931cf745eaa21f6545a011599a6be7e034b7b98414999d79033b07
                                                                                        • Opcode Fuzzy Hash: 7ed353467d2a2010dba20543c5759693ceed97ac86c79845ee70221aa0c272d8
                                                                                        • Instruction Fuzzy Hash: 285157B09002098FDB14CFAAE988BDEFFF1AF48314F24845AE109A73A0DB745944CB65
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 014BB086
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1990091550.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_14b0000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: 8579b61f6fbd4067e1f04ccf0177260d1a1aaa6072dd56c1e22a16f3f9f33ee0
                                                                                        • Instruction ID: 087cc2416b5d285a983e294ddae8d015fa843b049d8139df5979fbf7a4927701
                                                                                        • Opcode Fuzzy Hash: 8579b61f6fbd4067e1f04ccf0177260d1a1aaa6072dd56c1e22a16f3f9f33ee0
                                                                                        • Instruction Fuzzy Hash: FD7127B0A00B058FD724DF2AD49479BBBF1FF48214F10892ED58A97B50D775E845CBA1
                                                                                        APIs
                                                                                        • CreateActCtxA.KERNEL32(?), ref: 014B59F1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1990091550.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_14b0000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: 06b7fa910b1c8525b1b462c912942d48c80796ad53a42f9ec72bcf731a51a202
                                                                                        • Instruction ID: a6146ed0faf88ea19177f090efa7f8827fe3f329ff9ed630f57fd72e82e975fb
                                                                                        • Opcode Fuzzy Hash: 06b7fa910b1c8525b1b462c912942d48c80796ad53a42f9ec72bcf731a51a202
                                                                                        • Instruction Fuzzy Hash: 5241AEB0D00719CADB24DFA9C984B9EFBB5FF49304F20806AD509BB251DBB56945CFA0
                                                                                        APIs
                                                                                        • CreateActCtxA.KERNEL32(?), ref: 014B59F1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1990091550.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_14b0000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: 6b5680aec360f5233feff8938e968b567520092b1c3a12929f9474ab0f89ba03
                                                                                        • Instruction ID: f0ee31bb81fc98bea6a576046cfb0f9885bcc5df8ced4fbffac6230de5aa0b27
                                                                                        • Opcode Fuzzy Hash: 6b5680aec360f5233feff8938e968b567520092b1c3a12929f9474ab0f89ba03
                                                                                        • Instruction Fuzzy Hash: B441CEB0D00619CADB24DFA9C984B8EBBB5FF48304F24806AD418BB261DB756945CFA0
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014BD387
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1990091550.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_14b0000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 0bced5f75e9b65cde2febb24875e6610c4b073769c3f0685ebf315a3062bb54d
                                                                                        • Instruction ID: 99c55cace757de00364c112391d28581bb3bb4c4b85103de513380d05675df6d
                                                                                        • Opcode Fuzzy Hash: 0bced5f75e9b65cde2febb24875e6610c4b073769c3f0685ebf315a3062bb54d
                                                                                        • Instruction Fuzzy Hash: 4021E4B5D01208DFDB10CF9AD984ADEBFF8EB48320F14801AE918A3310C379A944CFA0
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014BD387
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1990091550.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_14b0000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 893bc26333d1bfa1fd51ee21330b3c22ae02cc415daed228ebf3cf49bf175ab0
                                                                                        • Instruction ID: 7b848a6e07ca0e50d1bc0944235bc6a22da71ba0bbfd5f21d8509d233f29eb4a
                                                                                        • Opcode Fuzzy Hash: 893bc26333d1bfa1fd51ee21330b3c22ae02cc415daed228ebf3cf49bf175ab0
                                                                                        • Instruction Fuzzy Hash: 9821E4B5D01249DFDB10CFAAD585ADEBFF5EB48314F24845AE918A3310C378A944CF64
                                                                                        APIs
                                                                                        • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,06C4E676), ref: 06C4E77E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2010746580.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_6c40000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: 82b4c12b5fc1f8d352f45154ee724368b7deb1945ebb66c1f275c3f8f5428667
                                                                                        • Instruction ID: feb621884c4e81c597b45cce9428212892af6462510deeb502049c70b04c086f
                                                                                        • Opcode Fuzzy Hash: 82b4c12b5fc1f8d352f45154ee724368b7deb1945ebb66c1f275c3f8f5428667
                                                                                        • Instruction Fuzzy Hash: 4A1123B6D002098FDB10CF9AC4407DEFBF1FF88224F24842AC429A7610C379A506CFA0
                                                                                        APIs
                                                                                        • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,06C4E676), ref: 06C4E77E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2010746580.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_6c40000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: 3ebcd3a8f120e06381f6f4cb1deaa6942ffd9802707ebc722d7b611972f1654e
                                                                                        • Instruction ID: 9101f74d60f9349b0d47b440a90d2733591f4a48b87691c29fecd8778461e67a
                                                                                        • Opcode Fuzzy Hash: 3ebcd3a8f120e06381f6f4cb1deaa6942ffd9802707ebc722d7b611972f1654e
                                                                                        • Instruction Fuzzy Hash: CC1112B5D043098BDB20DF9AC844A9EFBF5EF88324F15841AD419A7211D379A545CFA1
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 014BB086
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1990091550.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_14b0000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: d33a8f07fe0b26d6249dd0d73da55ce3cf8c897c6925065848f3f53ec499049f
                                                                                        • Instruction ID: ce78a714762ddc8576729a09429c50ca8d73908042d673db3ce67742dd5e901f
                                                                                        • Opcode Fuzzy Hash: d33a8f07fe0b26d6249dd0d73da55ce3cf8c897c6925065848f3f53ec499049f
                                                                                        • Instruction Fuzzy Hash: 5B11CDB5C003498ADB24DF9AD884ADEFBF4EB88224F14841AD569B7610C379A549CFA1
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 07216F85
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2012820582.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7210000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost
                                                                                        • String ID:
                                                                                        • API String ID: 410705778-0
                                                                                        • Opcode ID: 660e296238b2d15bce75fe338992bf1edd7ca75b4bd6a0210a5c681b16f6478a
                                                                                        • Instruction ID: 3db35e9aa231ead09db102f2960197bc0c5f31f59b559571b8c1f2588df5de52
                                                                                        • Opcode Fuzzy Hash: 660e296238b2d15bce75fe338992bf1edd7ca75b4bd6a0210a5c681b16f6478a
                                                                                        • Instruction Fuzzy Hash: A611F2B5810349DFCB10DF9AD885BDEBBF8FB58320F20845AE519A7200C3B5A944CFA1
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 07216F85
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2012820582.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7210000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost
                                                                                        • String ID:
                                                                                        • API String ID: 410705778-0
                                                                                        • Opcode ID: 4036b2e311bfcae9153c55449b90ef4d0a3f90abe5c4f0d9393651b958ba6617
                                                                                        • Instruction ID: 6185727921393f78dc39a1875f7b9daa53b6579c6b4b1a7011e8c5cb1d528396
                                                                                        • Opcode Fuzzy Hash: 4036b2e311bfcae9153c55449b90ef4d0a3f90abe5c4f0d9393651b958ba6617
                                                                                        • Instruction Fuzzy Hash: E311F2B58002499FCB10CF9AD885BDEFFF8EB58320F20845AE559A7600C375A944CFA1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1989806800.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_13bd000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f62a6c7698424ac9d17f6653bd49b4c442092a6f58ec5b55e40635c076be9da3
                                                                                        • Instruction ID: 0167559c9495c9cca140c4f959c0989d2f5cdb109cf5a4e39a5424df29b233da
                                                                                        • Opcode Fuzzy Hash: f62a6c7698424ac9d17f6653bd49b4c442092a6f58ec5b55e40635c076be9da3
                                                                                        • Instruction Fuzzy Hash: C32138B5504244DFCB05CF54D8C0F66BF65FB8832CF24C669EA090BA46D336D416CB61
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1989806800.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_13bd000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 352525b4691293cafe5ea12b9c47f305d1551cf20ff486252204c8ff3972767c
                                                                                        • Instruction ID: bf4715f7521d013806d6b681fa9752071b829c16aa9cd7d69a5cbafe5d87833e
                                                                                        • Opcode Fuzzy Hash: 352525b4691293cafe5ea12b9c47f305d1551cf20ff486252204c8ff3972767c
                                                                                        • Instruction Fuzzy Hash: 3421F4B1504284DFDB05DF98D9C0B66BF65FB88328F24C569EE090EA46D336D416CBA1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1989806800.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_13bd000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 72c7c59152597b6f8163e8232181c1e57126931918bfb9f058551a766de63372
                                                                                        • Instruction ID: ebd1974f54181232cf0d32e47203c30ea2a9a51e67989f0a211fd40e0964bd44
                                                                                        • Opcode Fuzzy Hash: 72c7c59152597b6f8163e8232181c1e57126931918bfb9f058551a766de63372
                                                                                        • Instruction Fuzzy Hash: 87216DB1504204DFDB05DF44D5C0B96BF65FB8431CF20C56DDA091BA56D73AE446C7A1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1989852904.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_13cd000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 076ff2114f07d243483a68ff133d474538b5a28b52b714e8cb8f0ccaf5551d71
                                                                                        • Instruction ID: 057afe14d72717ebd06cc6a3eb848c8905fd2555fcf44498209a997d76d355aa
                                                                                        • Opcode Fuzzy Hash: 076ff2114f07d243483a68ff133d474538b5a28b52b714e8cb8f0ccaf5551d71
                                                                                        • Instruction Fuzzy Hash: C62100B1604204EFCB15DF58D9C0B26BBA5FB84758F20C97DE90A4B646C33AD807CBA1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1989852904.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_13cd000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d2676b7e24e738f9a5789ba5c243f75b58ce7d93283fa82016744abd648ddd57
                                                                                        • Instruction ID: 3050224182ea8d4933628c048e46cc5f9fb28743525299cef5a76698ae23fbf4
                                                                                        • Opcode Fuzzy Hash: d2676b7e24e738f9a5789ba5c243f75b58ce7d93283fa82016744abd648ddd57
                                                                                        • Instruction Fuzzy Hash: FD2195755083809FCB03CF58D994711BF71EB46214F24C5EAD8498F2A7C33AD846CBA2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1989806800.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_13bd000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ad2dec59e3151889acede25dbdc09f1e0996748c90a37620c8196c664727292b
                                                                                        • Instruction ID: ab1dc2d90323bbf6c0029b2b7d630edb701f9effb8d3728a760ff83f54b41cc4
                                                                                        • Opcode Fuzzy Hash: ad2dec59e3151889acede25dbdc09f1e0996748c90a37620c8196c664727292b
                                                                                        • Instruction Fuzzy Hash: 9721DF76504280DFCB16CF44D9C4B96BF72FB88318F2482A9DA480B657C33AD426CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1989806800.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_13bd000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0198dffcca54c8a327979ca184e18e1179e26769679eb7287e54d642110c921c
                                                                                        • Instruction ID: 56063ba58c8fb14e24e289c889c359f0815ff882e368ec876a0caa56ad6e4d08
                                                                                        • Opcode Fuzzy Hash: 0198dffcca54c8a327979ca184e18e1179e26769679eb7287e54d642110c921c
                                                                                        • Instruction Fuzzy Hash: 8021CD76404280DFDB06CF44D9C4B56BF62FB84328F24C1A9DD080A656C33AD42ACBA1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1989806800.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_13bd000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                        • Instruction ID: 6510958404fdc95f4d9f992fec5d0362d4132df06587a0e75c1f79406824c00a
                                                                                        • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                        • Instruction Fuzzy Hash: EC112672404240CFDB12CF44D5C0B96BF72FB84328F24C6A9D9090B657C33AE45ACBA2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1989806800.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_13bd000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3141d8012716d95ebb8ab04afae2f32f9b523c8cfaf6f68a72ab09962f0dda09
                                                                                        • Instruction ID: 731c48e81f50a57f13deecf90930017611a23ec959906b4bc93000e93bd1c3fb
                                                                                        • Opcode Fuzzy Hash: 3141d8012716d95ebb8ab04afae2f32f9b523c8cfaf6f68a72ab09962f0dda09
                                                                                        • Instruction Fuzzy Hash: FE01F7B140C3449AF7108A99C8C07A6BFACDF4132CF08C41AEF094AA82D6799840C6B1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1989806800.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_13bd000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e976a2533e0fb43b3249a51b1789e5a5336dc583f3610ac76dc22bb3131e0262
                                                                                        • Instruction ID: 0fbfe204f83b81e94aa9f4702178ce8d08ab055343f52b9068478f238ba699c5
                                                                                        • Opcode Fuzzy Hash: e976a2533e0fb43b3249a51b1789e5a5336dc583f3610ac76dc22bb3131e0262
                                                                                        • Instruction Fuzzy Hash: 54F0C271408340AEF7108E09C8C4B62FF98EB41328F18C05AEE084B682D2799844CAB0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2012820582.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7210000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e9f39fdd16a66d4568fefdb369700d62815abbff44f250777f56aa7a91b7ba1c
                                                                                        • Instruction ID: 22c4d3509510a4b16a8d9ce9c202f986d1329e946c2c33935d769bdd49448f59
                                                                                        • Opcode Fuzzy Hash: e9f39fdd16a66d4568fefdb369700d62815abbff44f250777f56aa7a91b7ba1c
                                                                                        • Instruction Fuzzy Hash: 62E09AB0D7614ECAEF10AFA1C111BFFF6B07BA6300F606445880973288CBB086448FA5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2010746580.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_6c40000_PO-1BdyzarvrjUANe0.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: db19110d789815f717bda473993dc34a9960e0930ca4b222c48ecd1f8e0fac3e
                                                                                        • Instruction ID: 60f9697743d0715f072a6da1dde7414ae030b28758b9d5db0afe33248daf1bb2
                                                                                        • Opcode Fuzzy Hash: db19110d789815f717bda473993dc34a9960e0930ca4b222c48ecd1f8e0fac3e
                                                                                        • Instruction Fuzzy Hash: C9F0ED30C45259CFEB64EF52D849BBEBB74BF96315F105459D00A73194CB754684CF84