Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Notarising.exe

Overview

General Information

Sample name:Notarising.exe
Analysis ID:1366394
MD5:300a85702dfee48866e544b5177704a0
SHA1:c7056786da7a23171255d0f006a6b3e86bede0d2
SHA256:f199aff3254f8943d2f616782a1fb4c5f69f0a6faa0325a10781be8a2fdb77ff
Tags:exeredlinestealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Notarising.exe (PID: 4456 cmdline: C:\Users\user\Desktop\Notarising.exe MD5: 300A85702DFEE48866E544B5177704A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "195.20.16.188:20749", "Bot Id": "LogsDiller Cloud (Telegram: @logsdillabot)", "Authorization Header": "c2955ed3813a798683a185a82e949f88"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2330284235.0000000000E12000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.2333325033.0000000003E24000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Process Memory Space: Notarising.exe PID: 4456JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: Notarising.exe PID: 4456JoeSecurity_RedLineYara detected RedLine StealerJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.Notarising.exe.e10000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:192.168.2.5195.20.16.18849704207492046045 12/22/23-21:25:08.288793
                SID:2046045
                Source Port:49704
                Destination Port:20749
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.5195.20.16.18849704207492043231 12/22/23-21:25:24.427320
                SID:2043231
                Source Port:49704
                Destination Port:20749
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:195.20.16.188192.168.2.520749497042046056 12/22/23-21:25:14.003688
                SID:2046056
                Source Port:20749
                Destination Port:49704
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:195.20.16.188192.168.2.520749497042043234 12/22/23-21:25:08.615062
                SID:2043234
                Source Port:20749
                Destination Port:49704
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: 195.20.16.188:20749Avira URL Cloud: Label: malware
                Found malware configuration
                Source: 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "195.20.16.188:20749", "Bot Id": "LogsDiller Cloud (Telegram: @logsdillabot)", "Authorization Header": "c2955ed3813a798683a185a82e949f88"}
                Multi AV Scanner detection for submitted file
                Source: Notarising.exeReversingLabs: Detection: 67%
                Machine Learning detection for sample
                Source: Notarising.exeJoe Sandbox ML: detected
                Source: Notarising.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: Notarising.exe, 00000000.00000002.2330383938.0000000000E82000.00000040.00000001.01000000.00000003.sdmp
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 4x nop then jmp 078375BBh0_2_07836750
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 4x nop then jmp 07831A22h0_2_07831278
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 4x nop then jmp 078383C0h0_2_07837EE0
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 4x nop then jmp 07832D83h0_2_07832B50
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 4x nop then jmp 078356F1h0_2_078356D9
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 4x nop then jmp 078322EFh0_2_07831F10
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 4x nop then jmp 078322EFh0_2_07831F20
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h0_2_07B67768
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 4x nop then jmp 07B6563Ah0_2_07B65218
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 4x nop then jmp 07B65ABAh0_2_07B65218
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 4x nop then jmp 07B6343Ah0_2_07B63188
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 4x nop then jmp 07B64935h0_2_07B64914

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:49704 -> 195.20.16.188:20749
                Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49704 -> 195.20.16.188:20749
                Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 195.20.16.188:20749 -> 192.168.2.5:49704
                Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer Family Activity (Response) 195.20.16.188:20749 -> 192.168.2.5:49704
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 195.20.16.188:20749
                Connects to many ports of the same IP (likely port scanning)
                Source: global trafficTCP traffic: 195.20.16.188 ports 20749,0,2,4,7,9
                Source: global trafficTCP traffic: 192.168.2.5:49704 -> 195.20.16.188:20749
                Source: Joe Sandbox ViewASN Name: EITADAT-ASFI EITADAT-ASFI
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: unknownTCP traffic detected without corresponding DNS query: 195.20.16.188
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                Source: Notarising.exe, 00000000.00000002.2332679589.000000000355E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000004214000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000004214000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, Notarising.exe, 00000000.00000002.2333325033.0000000004280000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000004280000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000004280000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000004280000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000004280000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000004214000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, Notarising.exe, 00000000.00000002.2333325033.0000000004280000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000004280000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, Notarising.exe, 00000000.00000002.2333325033.0000000003E24000.00000004.00000800.00020000.00000000.sdmp, Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000004280000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000004280000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000004214000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, Notarising.exe, 00000000.00000002.2333325033.0000000004280000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, Notarising.exe, 00000000.00000002.2333325033.0000000003E63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000004280000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000004DCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: Notarising.exe, Notarising.exe, 00000000.00000002.2330284235.0000000000E12000.00000040.00000001.01000000.00000003.sdmp, Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000004DCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000004DCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000004DCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000004DCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000004DCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000004DCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000004DCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000004DCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                System Summary

                barindex
                PE file contains section with special chars
                Source: Notarising.exeStatic PE information: section name:
                Source: Notarising.exeStatic PE information: section name:
                Source: Notarising.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_03C3DCD40_2_03C3DCD4
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_078367500_2_07836750
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_078346880_2_07834688
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_078334300_2_07833430
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_078304380_2_07830438
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_078312780_2_07831278
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_078340480_2_07834048
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07837EE00_2_07837EE0
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07839E200_2_07839E20
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_0783AE280_2_0783AE28
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07834DF00_2_07834DF0
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07835C810_2_07835C81
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_078308A00_2_078308A0
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_078346780_2_07834678
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_078304290_2_07830429
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_0783403E0_2_0783403E
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07831F100_2_07831F10
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07831F200_2_07831F20
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07B677680_2_07B67768
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07B63C680_2_07B63C68
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07B652180_2_07B65218
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07B69A580_2_07B69A58
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07B631880_2_07B63188
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07B649C80_2_07B649C8
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07B620C90_2_07B620C9
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07B677590_2_07B67759
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07B60E6A0_2_07B60E6A
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07B65DE80_2_07B65DE8
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07B615180_2_07B61518
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07B652070_2_07B65207
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07B649B80_2_07B649B8
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07B619800_2_07B61980
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07B671180_2_07B67118
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07B619700_2_07B61970
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07B600060_2_07B60006
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07B608080_2_07B60808
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07B600400_2_07B60040
                Source: Notarising.exeBinary or memory string: OriginalFilename vs Notarising.exe
                Source: Notarising.exe, 00000000.00000002.2333325033.0000000003E63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Notarising.exe
                Source: Notarising.exe, 00000000.00000002.2332131345.000000000196E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Notarising.exe
                Source: Notarising.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: Notarising.exeStatic PE information: Section: ZLIB complexity 0.9982143282302802
                Source: Notarising.exeStatic PE information: Section: ZLIB complexity 0.9980615373770838
                Source: Notarising.exeStatic PE information: Section: ZLIB complexity 1.5
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@0/1
                Source: C:\Users\user\Desktop\Notarising.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                Source: C:\Users\user\Desktop\Notarising.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                Source: C:\Users\user\Desktop\Notarising.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Notarising.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Notarising.exeReversingLabs: Detection: 67%
                Source: C:\Users\user\Desktop\Notarising.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: Notarising.exeStatic file information: File size 4310025 > 1048576
                Source: Notarising.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x3e3809
                Source: Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: Notarising.exe, 00000000.00000002.2330383938.0000000000E82000.00000040.00000001.01000000.00000003.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\Notarising.exeUnpacked PE file: 0.2.Notarising.exe.e10000.0.unpack :ER; :R; :R;.imports:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R;
                Source: Notarising.exeStatic PE information: 0x9B423614 [Wed Jul 17 05:41:40 2052 UTC]
                Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
                Source: Notarising.exeStatic PE information: section name:
                Source: Notarising.exeStatic PE information: section name:
                Source: Notarising.exeStatic PE information: section name:
                Source: Notarising.exeStatic PE information: section name: .imports
                Source: Notarising.exeStatic PE information: section name: .themida
                Source: Notarising.exeStatic PE information: section name: .boot
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_011EEB2F push 05A4385Ch; mov dword ptr [esp], ebx0_2_011EEAB6
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_011EEB2F push 6E4B276Ah; mov dword ptr [esp], eax0_2_011EEADA
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_011FE91F push eax; mov dword ptr [esp], edi0_2_011FE8F0
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_011FE91F push edi; mov dword ptr [esp], 64E3572Eh0_2_011FE903
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_01199918 push edx; mov dword ptr [esp], eax0_2_0119993F
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_01199918 push 3FB833B4h; mov dword ptr [esp], ecx0_2_0119997D
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_0116E915 push edi; mov dword ptr [esp], ecx0_2_0116E8AB
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_0116F112 push 357183D8h; mov dword ptr [esp], ebp0_2_0116F0EF
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_0116F112 push edx; mov dword ptr [esp], 717009DAh0_2_0116F0FD
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_0116F112 push 54163B9Bh; mov dword ptr [esp], ebp0_2_0116F126
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_011A691C push ebp; mov dword ptr [esp], ecx0_2_011A6940
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_011A691C push eax; mov dword ptr [esp], 75C73679h0_2_011A6953
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_011E0915 push ebp; mov dword ptr [esp], ecx0_2_011E0933
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_01155119 push edi; mov dword ptr [esp], ebx0_2_01155113
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_01155119 push 3F647DC6h; mov dword ptr [esp], edi0_2_01155130
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_01164918 push 1FD5431Dh; mov dword ptr [esp], ecx0_2_01164871
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_01164918 push 11B0E4EAh; mov dword ptr [esp], ecx0_2_0116488B
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_01164918 push eax; mov dword ptr [esp], 02274B64h0_2_011648A6
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_01164918 push edi; mov dword ptr [esp], ebx0_2_01164911
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_01164918 push edi; mov dword ptr [esp], ebx0_2_0116494B
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_011D8108 push 3DB7ED35h; mov dword ptr [esp], esp0_2_011D8CBA
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_011D8108 push 6C80F259h; mov dword ptr [esp], eax0_2_011D8CC2
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_011B2902 push edx; mov dword ptr [esp], 093D8DB6h0_2_011B2916
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_011B2902 push esi; mov dword ptr [esp], ecx0_2_011B2928
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_011B2902 push edx; mov dword ptr [esp], 499B0554h0_2_011B2943
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_011A0900 push 6F4792F8h; mov dword ptr [esp], edx0_2_011A0925
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_0116F137 push 0B532DBEh; mov dword ptr [esp], edi0_2_0116F159
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_0116F137 push edx; mov dword ptr [esp], ecx0_2_0116F186
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_011D3936 push esi; mov dword ptr [esp], ecx0_2_011D397D
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_011D9131 push 07912C68h; mov dword ptr [esp], ebx0_2_011D912B
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_011D9131 push ecx; mov dword ptr [esp], 70F9F6F7h0_2_011D91A5
                Source: initial sampleStatic PE information: section name: entropy: 7.962888780247569

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\Notarising.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\Notarising.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\Notarising.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\Notarising.exeSystem information queried: FirmwareTableInformationJump to behavior
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\Notarising.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeWindow / User API: threadDelayed 1692Jump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeWindow / User API: threadDelayed 5194Jump to behavior
                Source: C:\Users\user\Desktop\Notarising.exe TID: 2148Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exe TID: 5676Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Notarising.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: Notarising.exe, 00000000.00000002.2332131345.0000000001A43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: Notarising.exe, 00000000.00000002.2336508256.000000000518C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: Notarising.exe, 00000000.00000002.2336508256.0000000005376000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: C:\Users\user\Desktop\Notarising.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\Notarising.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\Notarising.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\Notarising.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\Notarising.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\Notarising.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\Notarising.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\Notarising.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\Notarising.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess queried: DebugObjectHandleJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeCode function: 0_2_07836750 LdrInitializeThunk,0_2_07836750
                Source: C:\Users\user\Desktop\Notarising.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Notarising.exe, 00000000.00000002.2345531251.0000000006B6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\Notarising.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\Notarising.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                Source: C:\Users\user\Desktop\Notarising.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                Source: C:\Users\user\Desktop\Notarising.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\Notarising.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                Source: C:\Users\user\Desktop\Notarising.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                Stealing of Sensitive Information

                barindex
                Yara detected RedLine Stealer
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: Yara matchFile source: 0.2.Notarising.exe.e10000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2330284235.0000000000E12000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2333325033.0000000003E24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Notarising.exe PID: 4456, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\Notarising.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\Notarising.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                Source: C:\Users\user\Desktop\Notarising.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                Source: Yara matchFile source: Process Memory Space: Notarising.exe PID: 4456, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected RedLine Stealer
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: Yara matchFile source: 0.2.Notarising.exe.e10000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2330284235.0000000000E12000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2333325033.0000000003E24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Notarising.exe PID: 4456, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
                Valid Accounts221
                Windows Management Instrumentation                		Path InterceptionPath Interception1
                Masquerading                		1
                OS Credential Dumping                		751
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		Exfiltration Over Other Network Medium1
                Encrypted Channel                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop Protocol2
                Data from Local System                		Exfiltration Over Bluetooth1
                Non-Standard Port                		SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
                Domain AccountsAtLogon Script (Windows)Logon Script (Windows)551
                Virtualization/Sandbox Evasion                		Security Account Manager551
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                Application Layer Protocol                		Data Encrypted for ImpactDNS ServerEmail Addresses
                Local AccountsCronLogin HookLogin Hook3
                Obfuscated Files or Information                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput CaptureTraffic DuplicationProtocol ImpersonationData DestructionVirtual Private ServerEmployee Names
                Cloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets114
                System Information Discovery                		SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
                Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Timestomp                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Notarising.exe68%ReversingLabsWin32.Trojan.Privateloader
                Notarising.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://purl.oen0%URL Reputationsafe
                https://api.ip.sb/ip0%URL Reputationsafe
                http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                195.20.16.188:20749100%Avira URL Cloudmalware
                http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                http://tempuri.org/0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                195.20.16.188:20749true
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/ws/2005/02/sc/sctNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://duckduckgo.com/chrome_newtabNotarising.exe, 00000000.00000002.2336508256.0000000004DCB000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://duckduckgo.com/ac/?q=Notarising.exe, 00000000.00000002.2336508256.0000000004DCB000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id14ResponseDNotarising.exe, 00000000.00000002.2333325033.0000000004214000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id23ResponseDNotarising.exe, 00000000.00000002.2333325033.0000000004280000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id12ResponseNotarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id2ResponseNotarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id21ResponseNotarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id9Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id8Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, Notarising.exe, 00000000.00000002.2333325033.0000000004280000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id6ResponseDNotarising.exe, 00000000.00000002.2333325033.0000000004280000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id5Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id4Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id7Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://purl.oenNotarising.exe, 00000000.00000002.2332679589.000000000355E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id6Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id19ResponseNotarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceNotarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id13ResponseDNotarising.exe, 00000000.00000002.2333325033.0000000003E63000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/faultNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2004/10/wsatNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id15ResponseNotarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://tempuri.org/Entity/Id5ResponseDNotarising.exe, 00000000.00000002.2333325033.0000000003E63000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNotarising.exe, 00000000.00000002.2333325033.0000000003E63000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id6ResponseNotarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://api.ip.sb/ipNotarising.exe, Notarising.exe, 00000000.00000002.2330284235.0000000000E12000.00000040.00000001.01000000.00000003.sdmp, Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2004/04/scNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/Entity/Id1ResponseDNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id9ResponseNotarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Notarising.exe, 00000000.00000002.2336508256.0000000004DCB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id20Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id21Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id22Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id23Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id24Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id24ResponseNotarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://www.ecosia.org/newtab/Notarising.exe, 00000000.00000002.2336508256.0000000004DCB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id1ResponseNotarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedNotarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id21ResponseDNotarising.exe, 00000000.00000002.2333325033.0000000004214000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://schemas.xmlsoap.org/ws/2004/08/addressingNotarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/04/trustNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Entity/Id10Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id11Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id10ResponseDNotarising.exe, 00000000.00000002.2333325033.0000000003E63000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id12Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id16ResponseNotarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, Notarising.exe, 00000000.00000002.2333325033.0000000004280000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id13Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id14Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id15Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id16Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/NonceNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id17Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id18Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id5ResponseNotarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id19Notarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsNotarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id15ResponseDNotarising.exe, 00000000.00000002.2333325033.0000000003E63000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id10ResponseNotarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RenewNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id11ResponseDNotarising.exe, 00000000.00000002.2333325033.0000000004214000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id8ResponseNotarising.exe, 00000000.00000002.2333325033.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, Notarising.exe, 00000000.00000002.2333325033.0000000003E63000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0Notarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTNotarising.exe, 00000000.00000002.2333325033.0000000003E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentityNotarising.exe, 00000000.00000002.2333325033.0000000003E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id17ResponseDNotarising.exe, 00000000.00000002.2333325033.0000000004280000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown

                                                                                                                      World Map of Contacted IPs

                                                                                                                      • No. of IPs < 25%
                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                      • 75% < No. of IPs

                                                                                                                      Public IPs

                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                      195.20.16.188
                                                                                                                      		unknownFinland
                                                                                                                      		42297EITADAT-ASFItrue

                                                                                                                      General Information

                                                                                                                      Joe Sandbox version:38.0.0 Ammolite
                                                                                                                      Analysis ID:1366394
                                                                                                                      Start date and time:2023-12-22 21:24:05 +01:00
                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                      Overall analysis duration:0h 5m 8s
                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                      Report type:full
                                                                                                                      Cookbook file name:default.jbs
                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                      Number of analysed new started processes analysed:4
                                                                                                                      Number of new started drivers analysed:0
                                                                                                                      Number of existing processes analysed:0
                                                                                                                      Number of existing drivers analysed:0
                                                                                                                      Number of injected processes analysed:0
                                                                                                                      Technologies:
                                                                                                                      • HCA enabled
                                                                                                                      • EGA enabled
                                                                                                                      • AMSI enabled
                                                                                                                      Analysis Mode:default
                                                                                                                      Analysis stop reason:Timeout
                                                                                                                      Sample name:Notarising.exe
                                                                                                                      Detection:MAL
                                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@1/1@0/1
                                                                                                                      EGA Information:
                                                                                                                      • Successful, ratio: 100%
                                                                                                                      HCA Information:
                                                                                                                      • Successful, ratio: 69%
                                                                                                                      • Number of executed functions: 39
                                                                                                                      • Number of non-executed functions: 18
                                                                                                                      Cookbook Comments:
                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                      Warnings

                                                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                      • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                      • VT rate limit hit for: Notarising.exe

                                                                                                                      Simulations

                                                                                                                      Behavior and APIs

                                                                                                                      TimeTypeDescription
                                                                                                                      21:25:19API Interceptor36x Sleep call for process: Notarising.exe modified

                                                                                                                      Joe Sandbox View / Context

                                                                                                                      IPs

                                                                                                                      No context

                                                                                                                      Domains

                                                                                                                      No context

                                                                                                                      ASNs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      EITADAT-ASFIfY2HAd4r9I.exeGet hashmaliciousAmadey, Easy Stealer, LummaC Stealer, RHADAMANTHYS, RedLine, SmokeLoader, zgRATBrowse
                                                                                                                      • 195.20.16.103
                                                                                                                      ABHRDIL8cm.exeGet hashmaliciousAmadey, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                                                                                      • 195.20.16.103
                                                                                                                      qmJ59GSETt.exeGet hashmaliciousAmadey, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                                                                                      • 195.20.16.103
                                                                                                                      Xu9HaBSiIJ.exeGet hashmaliciousAmadey, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                                                                                      • 195.20.16.103
                                                                                                                      QGShkK4MMl.exeGet hashmaliciousAmadey, LummaC Stealer, RedLine, RisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                                                                                      • 195.20.16.103
                                                                                                                      sEWX47oH4X.exeGet hashmaliciousAmadey, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                                                                                      • 195.20.16.103
                                                                                                                      zXGs3AGQSn.exeGet hashmaliciousAmadey, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                                                                                      • 195.20.16.103
                                                                                                                      0dzdkSIbp0.exeGet hashmaliciousAmadey, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                                                                                      • 195.20.16.103
                                                                                                                      NFcNdFBTH9.exeGet hashmaliciousAmadey, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                                                                                      • 195.20.16.103
                                                                                                                      1vZX9U5Diw.exeGet hashmaliciousAmadey, LummaC Stealer, RedLine, RisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                                                                                      • 195.20.16.103
                                                                                                                      QrHAH5Dt6l.exeGet hashmaliciousAmadey, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                                                                                      • 195.20.16.103
                                                                                                                      zFZmNLWVfM.exeGet hashmaliciousAmadey, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                                                                                      • 195.20.16.103
                                                                                                                      zB6UeFurbf.exeGet hashmaliciousAmadey, LummaC Stealer, RHADAMANTHYS, RedLine, SmokeLoader, zgRATBrowse
                                                                                                                      • 195.20.16.103
                                                                                                                      7ykYy4WbzK.exeGet hashmaliciousAmadey, LummaC Stealer, RHADAMANTHYS, RedLine, SmokeLoader, zgRATBrowse
                                                                                                                      • 195.20.16.103
                                                                                                                      U1MiP25NrU.exeGet hashmaliciousAmadey, Glupteba, LummaC Stealer, RedLine, SmokeLoader, Stealc, VidarBrowse
                                                                                                                      • 195.20.16.103
                                                                                                                      G9rPCOOUlU.exeGet hashmaliciousAmadey, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                                                                                      • 195.20.16.103
                                                                                                                      OYSVIdqcxa.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                                                                                      • 195.20.16.103
                                                                                                                      2OcriJkWk6.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                                                                                      • 195.20.16.103
                                                                                                                      lPUOqVqw1D.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                                                                                      • 195.20.16.103
                                                                                                                      OE9ZntaKqM.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                                                                                      • 195.20.16.103

                                                                                                                      JA3 Fingerprints

                                                                                                                      No context

                                                                                                                      Dropped Files

                                                                                                                      No context

                                                                                                                      Created / dropped Files

                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Notarising.exe.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\Notarising.exe
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):3094
                                                                                                                      Entropy (8bit):5.33145931749415
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                                                                                                                      MD5:2A56468A7C0F324A42EA599BF0511FAF
                                                                                                                      SHA1:404B343A86EDEDF5B908D7359EB8AA957D1D4333
                                                                                                                      SHA-256:6398E0BD46082BBC30008BC72A2BA092E0A1269052153D343AA40F935C59957C
                                                                                                                      SHA-512:19B79181C40AA51C7ECEFCD4C9ED42D5BA19EA493AE99654D3A763EA9B21B1ABE5B5739AAC425E461609E1165BCEA749CFB997DE0D35303B4CF2A29BDEF30B17
                                                                                                                      Malicious:false
                                                                                                                      Reputation:high, very likely benign file
                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                      Static File Info

                                                                                                                      General

                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Entropy (8bit):7.898682470370749
                                                                                                                      TrID:
                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                      File name:Notarising.exe
                                                                                                                      File size:4'310'025 bytes
                                                                                                                      MD5:300a85702dfee48866e544b5177704a0
                                                                                                                      SHA1:c7056786da7a23171255d0f006a6b3e86bede0d2
                                                                                                                      SHA256:f199aff3254f8943d2f616782a1fb4c5f69f0a6faa0325a10781be8a2fdb77ff
                                                                                                                      SHA512:d97cb38af00e018849fdba3f414a4778ebe053ea15bbff80da5c935c09b524009a451ace6299bace4884560893c1158c66bda54f9c2d53ab14334ea5430f7438
                                                                                                                      SSDEEP:98304:yEyHI/4IRUMVp3W8T72Ic/PvCqvTIOKTQqLCbLDeNV:y1Hu4VxjCqvEPLuaNV
                                                                                                                      TLSH:93163310F9E81866D01493B8977BCB32BD700E540974D28277E83FB33D3A6EA1B9557A
                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6B...............0.............X.a.. ... ....@.. ...............................zB...@................................

                                                                                                                      File Icon

                                                                                                                      Icon Hash:4d8ea38d85a38e6d

                                                                                                                      Static PE Info

                                                                                                                      General

                                                                                                                      Entrypoint:0xa1c058
                                                                                                                      Entrypoint Section:.boot
                                                                                                                      Digitally signed:false
                                                                                                                      Imagebase:0x400000
                                                                                                                      Subsystem:windows gui
                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                      Time Stamp:0x9B423614 [Wed Jul 17 05:41:40 2052 UTC]
                                                                                                                      TLS Callbacks:
                                                                                                                      CLR (.Net) Version:
                                                                                                                      OS Version Major:4
                                                                                                                      OS Version Minor:0
                                                                                                                      File Version Major:4
                                                                                                                      File Version Minor:0
                                                                                                                      Subsystem Version Major:4
                                                                                                                      Subsystem Version Minor:0
                                                                                                                      Import Hash:4328f7206db519cd4e82283211d98e83

                                                                                                                      Entrypoint Preview

                                                                                                                      Instruction
                                                                                                                      call 00007F973CB92430h
                                                                                                                      push ebx
                                                                                                                      mov ebx, esp
                                                                                                                      push ebx
                                                                                                                      mov esi, dword ptr [ebx+08h]
                                                                                                                      mov edi, dword ptr [ebx+10h]
                                                                                                                      cld
                                                                                                                      mov dl, 80h
                                                                                                                      mov al, byte ptr [esi]
                                                                                                                      inc esi
                                                                                                                      mov byte ptr [edi], al
                                                                                                                      inc edi
                                                                                                                      mov ebx, 00000002h
                                                                                                                      add dl, dl
                                                                                                                      jne 00007F973CB922E7h
                                                                                                                      mov dl, byte ptr [esi]
                                                                                                                      inc esi
                                                                                                                      adc dl, dl
                                                                                                                      jnc 00007F973CB922CCh
                                                                                                                      add dl, dl
                                                                                                                      jne 00007F973CB922E7h
                                                                                                                      mov dl, byte ptr [esi]
                                                                                                                      inc esi
                                                                                                                      adc dl, dl
                                                                                                                      jnc 00007F973CB92333h
                                                                                                                      xor eax, eax
                                                                                                                      add dl, dl
                                                                                                                      jne 00007F973CB922E7h
                                                                                                                      mov dl, byte ptr [esi]
                                                                                                                      inc esi
                                                                                                                      adc dl, dl
                                                                                                                      jnc 00007F973CB923C7h
                                                                                                                      add dl, dl
                                                                                                                      jne 00007F973CB922E7h
                                                                                                                      mov dl, byte ptr [esi]
                                                                                                                      inc esi
                                                                                                                      adc dl, dl
                                                                                                                      adc eax, eax
                                                                                                                      add dl, dl
                                                                                                                      jne 00007F973CB922E7h
                                                                                                                      mov dl, byte ptr [esi]
                                                                                                                      inc esi
                                                                                                                      adc dl, dl
                                                                                                                      adc eax, eax
                                                                                                                      add dl, dl
                                                                                                                      jne 00007F973CB922E7h
                                                                                                                      mov dl, byte ptr [esi]
                                                                                                                      inc esi
                                                                                                                      adc dl, dl
                                                                                                                      adc eax, eax
                                                                                                                      add dl, dl
                                                                                                                      jne 00007F973CB922E7h
                                                                                                                      mov dl, byte ptr [esi]
                                                                                                                      inc esi
                                                                                                                      adc dl, dl
                                                                                                                      adc eax, eax
                                                                                                                      je 00007F973CB922EAh
                                                                                                                      push edi
                                                                                                                      mov eax, eax
                                                                                                                      sub edi, eax
                                                                                                                      mov al, byte ptr [edi]
                                                                                                                      pop edi
                                                                                                                      mov byte ptr [edi], al
                                                                                                                      inc edi
                                                                                                                      mov ebx, 00000002h
                                                                                                                      jmp 00007F973CB9227Bh
                                                                                                                      mov eax, 00000001h
                                                                                                                      add dl, dl
                                                                                                                      jne 00007F973CB922E7h
                                                                                                                      mov dl, byte ptr [esi]
                                                                                                                      inc esi
                                                                                                                      adc dl, dl
                                                                                                                      adc eax, eax
                                                                                                                      add dl, dl
                                                                                                                      jne 00007F973CB922E7h
                                                                                                                      mov dl, byte ptr [esi]
                                                                                                                      inc esi
                                                                                                                      adc dl, dl
                                                                                                                      jc 00007F973CB922CCh
                                                                                                                      sub eax, ebx
                                                                                                                      mov ebx, 00000001h
                                                                                                                      jne 00007F973CB9230Ah
                                                                                                                      mov ecx, 00000001h
                                                                                                                      add dl, dl
                                                                                                                      jne 00007F973CB922E7h
                                                                                                                      mov dl, byte ptr [esi]
                                                                                                                      inc esi
                                                                                                                      adc dl, dl
                                                                                                                      adc ecx, ecx
                                                                                                                      add dl, dl
                                                                                                                      jne 00007F973CB922E7h
                                                                                                                      mov dl, byte ptr [esi]
                                                                                                                      inc esi
                                                                                                                      adc dl, dl
                                                                                                                      jc 00007F973CB922CCh
                                                                                                                      push esi
                                                                                                                      mov esi, edi
                                                                                                                      sub esi, ebp

                                                                                                                      Data Directories

                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x5203a0x50.imports
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x540000x1c9d0.rsrc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                      Sections

                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                      0x20000x300000x14822False0.9982143282302802data7.962888780247569IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                      0x320000x1c9d00x6ed5False0.9980615373770838data7.948171750237992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      0x500000xc0x10False1.5data3.875IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                      .imports0x520000x20000x200False0.16796875data1.1405531534676816IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                      .rsrc0x540000x1ca000x1ca00False0.23824713427947597data2.6159893076126157IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .themida0x720000x5aa0000x0unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                      .boot0x61c0000x3e3a000x3e3809unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

                                                                                                                      Resources

                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                      RT_ICON0x541a00x3d04PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9934058898847631
                                                                                                                      RT_ICON0x57eb40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.09013072282030049
                                                                                                                      RT_ICON0x686ec0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.13905290505432216
                                                                                                                      RT_ICON0x6c9240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.17033195020746889
                                                                                                                      RT_ICON0x6eedc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.2045028142589118
                                                                                                                      RT_ICON0x6ff940x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.24645390070921985
                                                                                                                      RT_GROUP_ICON0x7040c0x5adata0.7666666666666667
                                                                                                                      RT_VERSION0x704780x35adata0.4428904428904429
                                                                                                                      RT_MANIFEST0x707e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsEnglishUnited States0.5489795918367347

                                                                                                                      Imports

                                                                                                                      DLLImport
                                                                                                                      kernel32.dllGetModuleHandleA
                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                      Possible Origin

                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                      EnglishUnited States

                                                                                                                      Network Behavior

                                                                                                                      Snort IDS Alerts

                                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                      192.168.2.5195.20.16.18849704207492046045 12/22/23-21:25:08.288793TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)4970420749192.168.2.5195.20.16.188
                                                                                                                      192.168.2.5195.20.16.18849704207492043231 12/22/23-21:25:24.427320TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4970420749192.168.2.5195.20.16.188
                                                                                                                      195.20.16.188192.168.2.520749497042046056 12/22/23-21:25:14.003688TCP2046056ET TROJAN Redline Stealer Family Activity (Response)2074949704195.20.16.188192.168.2.5
                                                                                                                      195.20.16.188192.168.2.520749497042043234 12/22/23-21:25:08.615062TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response2074949704195.20.16.188192.168.2.5

                                                                                                                      Network Port Distribution

                                                                                                                      TCP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Dec 22, 2023 21:25:07.573659897 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:07.897528887 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:07.897830963 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:07.920516968 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:08.245109081 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:08.288793087 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:08.615061998 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:08.829756021 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:13.677577019 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:14.003688097 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:14.003741026 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:14.003813982 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:14.003873110 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:14.048388004 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:14.175782919 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:14.500022888 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:14.548433065 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:14.610325098 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:14.933931112 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:14.933948994 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:14.934087992 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:14.934400082 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:14.934458971 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:14.934468985 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:15.257713079 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:15.257781029 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:15.260581970 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:15.314019918 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:15.361864090 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:15.685625076 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:15.685667038 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:15.685777903 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:15.685978889 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:15.686007977 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:15.686058998 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:15.686130047 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:15.686199903 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:15.686285019 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:15.686350107 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:15.686410904 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:15.686487913 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:15.687088966 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:15.687154055 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:15.687211037 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:15.687247992 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:15.687289000 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:15.687289953 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:15.687330008 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:15.687375069 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:15.687843084 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:15.687918901 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:15.727366924 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:15.727443933 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.009742975 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.009825945 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.009872913 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.010003090 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.010447979 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.010509968 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.011409998 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.011437893 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.011466980 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.011475086 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.011498928 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.011503935 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.011514902 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.011529922 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.011559963 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.011583090 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.011598110 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.011630058 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.011641026 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.011686087 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.011743069 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.011766911 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.011811018 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.011869907 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.011917114 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.011989117 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.012001991 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.012047052 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.012069941 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.012115955 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.012264967 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.012310982 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.012494087 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.012598038 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.051304102 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.334284067 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.334309101 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.334322929 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.334408045 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.334419966 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.334685087 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.335005999 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.335206032 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.335304022 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.335586071 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.335655928 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.335920095 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.336167097 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.336430073 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.336585999 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.336625099 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.336760044 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.336900949 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.336914062 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.337213039 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.337321997 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.337467909 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.337939024 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.338253975 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.338310003 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.338515997 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.338746071 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.338850021 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.338983059 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.339081049 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.339215994 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.339313984 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.340044975 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.340065956 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.340559959 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.346357107 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.346496105 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.660353899 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.660393953 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.660505056 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.660693884 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.660832882 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.660991907 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.661324024 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.661334991 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.661498070 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.661735058 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.662127972 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.662400007 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.662647009 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.662831068 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.663013935 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.663022995 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.663256884 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.663522959 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.663718939 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.663834095 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.670263052 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.670367002 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.670603037 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.670681000 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.670747042 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.670757055 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.671122074 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.671397924 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.671662092 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.671699047 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.671708107 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.671974897 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.672101021 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.672277927 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.672400951 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.672609091 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.672822952 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.673084021 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.673135042 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.673358917 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.673501968 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.673597097 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.674715042 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.674737930 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.674750090 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.674803972 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.674818993 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.674828053 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.675052881 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.675122976 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.994453907 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.994494915 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.994618893 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.994630098 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.994688034 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.994699001 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.994956970 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.994967937 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.995177031 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.995462894 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.995490074 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.995533943 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.995839119 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.995850086 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.995862007 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.995872974 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.996093035 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.996104002 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.996186018 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.996690989 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.996889114 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:16.998686075 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.998697042 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.999011040 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.999083996 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.999253035 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.999511957 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.999522924 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.999532938 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.999543905 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.999670029 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.999701023 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.999862909 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.999970913 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:16.999982119 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.000134945 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.000230074 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.000432968 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.000442982 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.000710011 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:17.000842094 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:17.320559978 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.320580959 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.320590973 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.320602894 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.320615053 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.320626020 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.320636034 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.320739031 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.320861101 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.320981979 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.320991993 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.321254015 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.321264029 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.321317911 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.321608067 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.321624041 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.321633101 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.321744919 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.321757078 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.321784019 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.324213982 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.324246883 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.324285984 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.324371099 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.324382067 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.324533939 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.324599981 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.324610949 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.324621916 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.324686050 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:17.324794054 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:17.324796915 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.324810028 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.324928999 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.324968100 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.324976921 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.325094938 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.325210094 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.325231075 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.325243950 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.325623989 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.325633049 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.325663090 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.325673103 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.325726986 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.325737000 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.325937986 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:17.649024963 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.649066925 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.649080038 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.649085045 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.649260998 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.649272919 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.649430990 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.651612043 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.651652098 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.652040958 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.652095079 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.652108908 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.652993917 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.653065920 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.653131008 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.653179884 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.653250933 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.653295994 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.653362989 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.653439999 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.653459072 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.653517962 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.653561115 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.653634071 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.653722048 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.653757095 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.653820038 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.654114962 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.655105114 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.655143023 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.655205965 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.657242060 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:17.704658985 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:17.773237944 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:18.098278999 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:18.101466894 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:18.425831079 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:18.455738068 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:18.780354023 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:18.793529987 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:19.119817972 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:19.173377037 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:19.262480974 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:19.586657047 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:19.642175913 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:20.143096924 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:20.468810081 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:20.474112988 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:20.798297882 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:20.802078009 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:21.126342058 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:21.137904882 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:21.461714029 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:21.461735964 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:21.462385893 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:21.517139912 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:21.538460970 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:21.862862110 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:21.865159035 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:22.195867062 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:22.203830004 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:22.528939962 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:22.583772898 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:22.635178089 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:22.964411974 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:22.966109037 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:23.290375948 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:23.345283031 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:23.513709068 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:23.839382887 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:23.839931965 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:24.164602995 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:24.220299959 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:24.427320004 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:24.754410982 CET2074949704195.20.16.188192.168.2.5
                                                                                                                      Dec 22, 2023 21:25:24.798388958 CET4970420749192.168.2.5195.20.16.188
                                                                                                                      Dec 22, 2023 21:25:24.819478989 CET4970420749192.168.2.5195.20.16.188

                                                                                                                      Statistics

                                                                                                                      CPU Usage

                                                                                                                      Click to jump to process

                                                                                                                      Memory Usage

                                                                                                                      Click to jump to process

                                                                                                                      High Level Behavior Distribution

                                                                                                                      Click to dive into process behavior distribution

                                                                                                                      System Behavior

                                                                                                                      General

                                                                                                                      Target ID:0
                                                                                                                      Start time:21:24:49
                                                                                                                      Start date:22/12/2023
                                                                                                                      Path:C:\Users\user\Desktop\Notarising.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\Desktop\Notarising.exe
                                                                                                                      Imagebase:0xe10000
                                                                                                                      File size:4'310'025 bytes
                                                                                                                      MD5 hash:300A85702DFEE48866E544B5177704A0
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2330284235.0000000000E12000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2333325033.0000000003E24000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true

                                                                                                                      Disassembly

                                                                                                                      Reset < >

                                                                                                                        Execution Graph

                                                                                                                        Execution Coverage:14.2%
                                                                                                                        Dynamic/Decrypted Code Coverage:87.2%
                                                                                                                        Signature Coverage:8.5%
                                                                                                                        Total number of Nodes:47
                                                                                                                        Total number of Limit Nodes:6
                                                                                                                        execution_graph 37999 3c346c0 38000 3c346dc 37999->38000 38001 3c346ee 38000->38001 38003 3c347f8 38000->38003 38004 3c3481d 38003->38004 38008 3c348f9 38004->38008 38012 3c34908 38004->38012 38010 3c34908 38008->38010 38009 3c34a0c 38009->38009 38010->38009 38016 3c344f0 38010->38016 38013 3c3492f 38012->38013 38014 3c34a0c 38013->38014 38015 3c344f0 CreateActCtxA 38013->38015 38015->38014 38017 3c35998 CreateActCtxA 38016->38017 38019 3c35a5b 38017->38019 38038 7836220 38039 7836247 38038->38039 38040 78362c5 38039->38040 38043 7836750 38039->38043 38047 7837c34 38039->38047 38045 7836755 38043->38045 38044 7837c1e 38045->38044 38046 78371c3 LdrInitializeThunk 38045->38046 38046->38045 38048 7837c1e 38047->38048 38050 78369a8 38047->38050 38049 78371c3 LdrInitializeThunk 38049->38050 38050->38048 38050->38049 38051 1204345 38052 120440f CreateFileW 38051->38052 38054 1204829 38052->38054 38054->38054 38028 3c3d118 38029 3c3d15e GetCurrentProcess 38028->38029 38031 3c3d1b0 GetCurrentThread 38029->38031 38032 3c3d1a9 38029->38032 38033 3c3d1e6 38031->38033 38034 3c3d1ed GetCurrentProcess 38031->38034 38032->38031 38033->38034 38037 3c3d223 38034->38037 38035 3c3d24b GetCurrentThreadId 38036 3c3d27c 38035->38036 38037->38035 38055 11dd2b6 38056 11dd302 OpenFileMappingW 38055->38056 38057 11dd30d 38056->38057 38057->38057 38020 7b68bb8 38021 7b68bde 38020->38021 38022 7b68d43 38020->38022 38021->38022 38024 7b68318 38021->38024 38025 7b68e38 PostMessageW 38024->38025 38027 7b68ea4 38025->38027 38027->38021

                                                                                                                        Executed Functions

                                                                                                                        Function 07839E20 Relevance: 6.6, Strings: 5, Instructions: 301COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 533 7839e20-7839e3e 534 7839e40-7839e4c 533->534 535 7839e4e-7839e6b 533->535 536 7839e6f-7839e7b 534->536 535->536 537 7839e84-7839e8d 536->537 538 7839e7d-7839e82 536->538 539 7839e90-7839e92 537->539 538->539 540 7839f1a-7839f1e 539->540 541 7839e98 539->541 542 7839f52-7839f6a call 7839a20 540->542 543 7839f20-7839f3e 540->543 614 7839e9a call 783a233 541->614 615 7839e9a call 783a240 541->615 556 7839f6f-7839f99 call 7839b58 542->556 543->542 554 7839f40-7839f4d call 7839b58 543->554 544 7839ea0-7839ec0 call 7839b58 550 7839ec2-7839ece 544->550 551 7839ed0-7839eed 544->551 555 7839ef1-7839efd 550->555 551->555 564 7839d73-7839d83 554->564 558 7839f06-7839f0f 555->558 559 7839eff-7839f04 555->559 572 7839f9b-7839fa7 556->572 573 7839fa9-7839fc6 556->573 560 7839f12-7839f14 558->560 559->560 560->540 562 783a136-783a176 560->562 596 783a17d-783a1c7 562->596 566 783a056-783a073 564->566 567 7839d89-7839da1 564->567 571 783a07c-783a085 566->571 570 7839da7-7839dae 567->570 567->571 574 7839db4-7839dbe 570->574 575 783a08d-783a12f 570->575 571->575 576 7839fca-7839fd6 572->576 573->576 575->562 578 7839fd8-7839fda 576->578 579 7839fdc 576->579 581 7839fdf-7839fe1 578->581 579->581 581->564 583 7839fe7-7839ff7 581->583 586 783a007-783a024 583->586 587 7839ff9-783a005 583->587 588 783a028-783a034 586->588 587->588 590 783a036-783a03b 588->590 591 783a03d-783a046 588->591 593 783a049-783a04b 590->593 591->593 595 783a051 593->595 593->596 595->566 614->544 615->544
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2346110119.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7830000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: Haq$Haq$Haq$Haq$Haq
                                                                                                                        • API String ID: 0-1792267638
                                                                                                                        • Opcode ID: 20a32d78ccb08e81d93529a5ad5a47f6df56f8037c932628416d5bbb267a1c89
                                                                                                                        • Instruction ID: 42038e76c55da335bd98d1a87e421b7d0493aebe65747c4ac5eb74991f68469a
                                                                                                                        • Opcode Fuzzy Hash: 20a32d78ccb08e81d93529a5ad5a47f6df56f8037c932628416d5bbb267a1c89
                                                                                                                        • Instruction Fuzzy Hash: C2C1C175A00356CBCB15DF78C0502ADFBB2FF95305F24866AD446EF241DBB8AA85CB90
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B65218 Relevance: 5.5, Strings: 4, Instructions: 496COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 660 7b65218-7b65238 662 7b6523f-7b65334 660->662 663 7b6523a 660->663 672 7b65336 662->672 673 7b6533b-7b65369 662->673 663->662 672->673 675 7b65711-7b6571a 673->675 676 7b65720-7b657a2 675->676 677 7b6536e-7b65377 675->677 691 7b657a4 676->691 692 7b657a9-7b657d7 676->692 678 7b6537e-7b6545d 677->678 679 7b65379 677->679 710 7b65464-7b65498 678->710 679->678 691->692 696 7b65b94-7b65b9d 692->696 697 7b65ba3-7b65bd3 696->697 698 7b657dc-7b657e5 696->698 700 7b657e7 698->700 701 7b657ec-7b658cb 698->701 700->701 734 7b658d2-7b65906 701->734 714 7b6563b-7b6564f 710->714 717 7b65655-7b65672 714->717 718 7b6549d-7b65535 714->718 721 7b65674-7b65680 717->721 722 7b65681-7b65682 717->722 737 7b65537-7b6554f 718->737 738 7b65551 718->738 721->722 722->675 739 7b65abb-7b65acf 734->739 740 7b65557-7b65578 737->740 738->740 743 7b65ad5-7b65af2 739->743 744 7b6590b-7b659a9 739->744 745 7b6557e-7b655f9 740->745 746 7b6562a-7b6563a 740->746 750 7b65af4-7b65b00 743->750 751 7b65b01 743->751 766 7b659c5 744->766 767 7b659ab-7b659c3 744->767 762 7b65615 745->762 763 7b655fb-7b65613 745->763 746->714 750->751 751->696 765 7b6561b-7b65629 762->765 763->765 765->746 768 7b659cb-7b659ec 766->768 767->768 771 7b65aa7-7b65aba 768->771 772 7b659f2-7b65a76 768->772 771->739 779 7b65a92 772->779 780 7b65a78-7b65a90 772->780 781 7b65a98-7b65aa6 779->781 780->781 781->771
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: $]q$$]q$$]q$$]q
                                                                                                                        • API String ID: 0-858218434
                                                                                                                        • Opcode ID: 5380842c269341884637352924731ba888af8ddca70564374cf5f62515dabd7d
                                                                                                                        • Instruction ID: e1c68e8e5b0814d1e9d20828a8b7ec739670cefb29fca50ca766255a35568a5b
                                                                                                                        • Opcode Fuzzy Hash: 5380842c269341884637352924731ba888af8ddca70564374cf5f62515dabd7d
                                                                                                                        • Instruction Fuzzy Hash: D332B274A01229CFDB69DF64C994BDEB7B2BF49300F5085E9C10AAB250DB359E85CF80
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B67768 Relevance: 5.3, Strings: 4, Instructions: 271COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 783 7b67768-7b67788 784 7b6778f-7b67858 783->784 785 7b6778a 783->785 794 7b67b3a-7b67b43 784->794 785->784 795 7b6785d-7b67866 794->795 796 7b67b49-7b67b64 794->796 797 7b6786d-7b67891 795->797 798 7b67868 795->798 800 7b67b66-7b67b6f 796->800 801 7b67b70 796->801 804 7b67893-7b6789c 797->804 805 7b6789e-7b678e3 797->805 798->797 800->801 806 7b67b71 801->806 807 7b678f4-7b678fb 804->807 833 7b678ee 805->833 806->806 809 7b67925 807->809 810 7b678fd-7b67909 807->810 811 7b6792b-7b67932 809->811 812 7b67913-7b67919 810->812 813 7b6790b-7b67911 810->813 814 7b67934-7b6793d 811->814 815 7b6793f-7b67993 811->815 817 7b67923 812->817 813->817 818 7b679a4-7b679ab 814->818 842 7b6799e 815->842 817->811 821 7b679d5 818->821 822 7b679ad-7b679b9 818->822 823 7b679db-7b679ed 821->823 824 7b679c3-7b679c9 822->824 825 7b679bb-7b679c1 822->825 830 7b679ef-7b67a08 823->830 831 7b67a0a-7b67a0c 823->831 826 7b679d3 824->826 825->826 826->823 834 7b67a0f-7b67a1a 830->834 831->834 833->807 837 7b67af0-7b67b0b 834->837 838 7b67a20-7b67aef 834->838 840 7b67b17 837->840 841 7b67b0d-7b67b16 837->841 838->837 840->794 841->840 842->818
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: $]q$$]q$$]q$$]q
                                                                                                                        • API String ID: 0-858218434
                                                                                                                        • Opcode ID: 41ac134fc1fa4943f98d69bb8fbb02ab67b09b7c0f7347206138d45da4a720b6
                                                                                                                        • Instruction ID: e555e84032ce71dcf5a1482de641796d57e468b0288108c4817a9edb84be7738
                                                                                                                        • Opcode Fuzzy Hash: 41ac134fc1fa4943f98d69bb8fbb02ab67b09b7c0f7347206138d45da4a720b6
                                                                                                                        • Instruction Fuzzy Hash: 74C1E5B4E00218CFDB68DFA5C99479DBBB2FF89304F6084A9D509AB254DB345D86CF40
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07837EE0 Relevance: 2.9, Strings: 2, Instructions: 362COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 958 7837ee0-7837f12 959 7837f14 958->959 960 7837f19-7837fdd 958->960 959->960 965 7837ff2 960->965 966 7837fdf-7837fed 960->966 1029 7837ff8 call 7838789 965->1029 1030 7837ff8 call 7838838 965->1030 1031 7837ff8 call 783890e 965->1031 1032 7837ff8 call 783887e 965->1032 967 7838490-783849d 966->967 968 7837ffe-78380ae 976 783841f-7838449 968->976 978 78380b3-78382c5 976->978 979 783844f-783848e 976->979 1006 78382d1-783831b 978->1006 979->967 1009 7838323-7838325 1006->1009 1010 783831d 1006->1010 1013 783832c-7838333 1009->1013 1011 7838327 1010->1011 1012 783831f-7838321 1010->1012 1011->1013 1012->1009 1012->1011 1014 7838335-78383ac 1013->1014 1015 78383ad-78383c7 1013->1015 1014->1015 1018 78383d4-78383e0 1015->1018 1019 78383c9-78383d2 1015->1019 1020 78383e6-7838405 1018->1020 1019->1020 1024 7838407-783841a 1020->1024 1025 783841b-783841c 1020->1025 1024->1025 1025->976 1029->968 1030->968 1031->968 1032->968
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2346110119.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7830000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: .$1
                                                                                                                        • API String ID: 0-1839485796
                                                                                                                        • Opcode ID: f5dcce1c39061d2f240e880e2c339479f7e830981635d4bfe4ebeb7534aefdb8
                                                                                                                        • Instruction ID: 006e23151394305cc0656b0e4838bbcef86a3146d6045cba5ba10485e4d7793f
                                                                                                                        • Opcode Fuzzy Hash: f5dcce1c39061d2f240e880e2c339479f7e830981635d4bfe4ebeb7534aefdb8
                                                                                                                        • Instruction Fuzzy Hash: 7AF1F074E01328CFDB69DF64C884B9DBBB2BF89305F1081A9D50AAB250DB755E85CF50
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B620C9 Relevance: 2.8, Strings: 2, Instructions: 309COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1033 7b620c9-7b62100 1034 7b62107-7b6220d 1033->1034 1035 7b62102 1033->1035 1048 7b6220f-7b62216 1034->1048 1049 7b6221b-7b62300 1034->1049 1035->1034 1050 7b6254f-7b62558 1048->1050 1062 7b62507-7b62510 1049->1062 1063 7b62517-7b6252d 1062->1063 1064 7b62305-7b624f1 1063->1064 1065 7b62533-7b6254d 1063->1065 1090 7b62503-7b62504 1064->1090 1091 7b624f3-7b62502 1064->1091 1065->1050 1090->1062 1091->1090
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: .$1
                                                                                                                        • API String ID: 0-1839485796
                                                                                                                        • Opcode ID: 1c81b53c330805397fbf6390d9dcc9a05b76752ac71dfe21a76546e7c69bccf6
                                                                                                                        • Instruction ID: d6fb28af54f5a3cf20739fcdb3298f711549c6929dcdba05a27a4dc81967d8b9
                                                                                                                        • Opcode Fuzzy Hash: 1c81b53c330805397fbf6390d9dcc9a05b76752ac71dfe21a76546e7c69bccf6
                                                                                                                        • Instruction Fuzzy Hash: DBD1C0B4E01218CFDB68DFA4C950B9EB7B2BF49304F2085A9C509AB354DB359E86CF51
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B63188 Relevance: 2.7, Strings: 2, Instructions: 219COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1093 7b63188-7b631a9 1094 7b631b0-7b6321a 1093->1094 1095 7b631ab 1093->1095 1147 7b6321d call 7830832 1094->1147 1148 7b6321d call 7830830 1094->1148 1149 7b6321d call 7830429 1094->1149 1150 7b6321d call 7830438 1094->1150 1095->1094 1100 7b63222-7b6326f 1104 7b634a7-7b634bb 1100->1104 1106 7b63274-7b6335f 1104->1106 1107 7b634c1-7b634e5 1104->1107 1122 7b6343b-7b6344b 1106->1122 1112 7b634e6 1107->1112 1112->1112 1124 7b63364-7b6337a 1122->1124 1125 7b63451-7b6347b 1122->1125 1128 7b633a4 1124->1128 1129 7b6337c-7b63388 1124->1129 1134 7b63487-7b63488 1125->1134 1135 7b6347d-7b63486 1125->1135 1133 7b633aa-7b6340f 1128->1133 1131 7b63392-7b63398 1129->1131 1132 7b6338a-7b63390 1129->1132 1136 7b633a2 1131->1136 1132->1136 1143 7b63427-7b6343a 1133->1143 1144 7b63411-7b63426 1133->1144 1134->1104 1135->1134 1136->1133 1143->1122 1144->1143 1147->1100 1148->1100 1149->1100 1150->1100
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: LR]q$PH]q
                                                                                                                        • API String ID: 0-3791814328
                                                                                                                        • Opcode ID: d6248f7f26ac4473dea6107e889a36a8116ca9e164b8213c6bf91d5bc7044de2
                                                                                                                        • Instruction ID: d6d5fd3831fd41cdc6ed4a8a12cd10cb291789a234d5e9271f61f63cd3ae371f
                                                                                                                        • Opcode Fuzzy Hash: d6248f7f26ac4473dea6107e889a36a8116ca9e164b8213c6bf91d5bc7044de2
                                                                                                                        • Instruction Fuzzy Hash: B3A1E3B4E00219CFDB28DFA5C954B9EBBB2FF89304F1085A9D509AB364DB345986CF41
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07833430 Relevance: 2.7, Strings: 2, Instructions: 203COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1151 7833430-7833450 1152 7833452 1151->1152 1153 7833457-78334de 1151->1153 1152->1153 1157 7833502-783351b 1153->1157 1158 78334e0-78334ff 1153->1158 1161 783369f-78336b5 1157->1161 1158->1157 1162 7833520-7833546 1161->1162 1163 78336bb-78336df 1161->1163 1168 7833548 1162->1168 1169 783354d-783357d 1162->1169 1168->1169 1172 783357f-7833588 1169->1172 1173 783359e 1169->1173 1174 783358a-783358d 1172->1174 1175 783358f-7833592 1172->1175 1176 78335a1-783362e 1173->1176 1177 783359c 1174->1177 1175->1177 1185 7833630-7833644 1176->1185 1186 783367b-783368c 1176->1186 1177->1176 1190 783364d-7833679 1185->1190 1189 783368d-783369c 1186->1189 1189->1161 1190->1189
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2346110119.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7830000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: $]q$$]q
                                                                                                                        • API String ID: 0-127220927
                                                                                                                        • Opcode ID: 0f999610c25446fe16c2d54fe6e7f59480fdee5c515e9d88e0c0c58b87ec9ce8
                                                                                                                        • Instruction ID: d89bab27dd01946a01bb68d51b1d36ceaa463a61aba8212f84160694b099a96f
                                                                                                                        • Opcode Fuzzy Hash: 0f999610c25446fe16c2d54fe6e7f59480fdee5c515e9d88e0c0c58b87ec9ce8
                                                                                                                        • Instruction Fuzzy Hash: 7291BE74E01218CFDB18DFA9D594A9DBBB2FF89305F60846AE419EB350DB359982CF40
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07836750 Relevance: 2.6, APIs: 1, Instructions: 1131COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2346110119.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7830000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f2cf29535d2115ba650775f50dda1c99b868019b6114c2203e52bc7c609e4b44
                                                                                                                        • Instruction ID: 2267ac3118c32d12316894d77ba091377e9a8c8da41110a266e4ace5134d020d
                                                                                                                        • Opcode Fuzzy Hash: f2cf29535d2115ba650775f50dda1c99b868019b6114c2203e52bc7c609e4b44
                                                                                                                        • Instruction Fuzzy Hash: B2C2B0B4E012299FCB65DF28D998B9DBBB1EF49300F1041EAD809A7350DB74AE85CF45
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B63C68 Relevance: 2.0, Strings: 1, Instructions: 752COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: @B/
                                                                                                                        • API String ID: 0-3863299084
                                                                                                                        • Opcode ID: 9b63085380813fbc548cc1882c45030093ec9ffda2acc4da010c1b9d27d77dfa
                                                                                                                        • Instruction ID: 75be6d7f4ab29cabdc1e3a2bd4259944d7debfe4617e450973cf622c6b98b031
                                                                                                                        • Opcode Fuzzy Hash: 9b63085380813fbc548cc1882c45030093ec9ffda2acc4da010c1b9d27d77dfa
                                                                                                                        • Instruction Fuzzy Hash: E382ADB4A01269CFDB64DF69C988BDDBBB2FB49300F1081EAD509A7250DB359E81CF50
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B649C8 Relevance: 1.6, Strings: 1, Instructions: 323COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: l8=p
                                                                                                                        • API String ID: 0-1075911181
                                                                                                                        • Opcode ID: 948780333514182948d0fe280d65af8f20d6490c9c45b1c0a18d80c9b606dd30
                                                                                                                        • Instruction ID: 9cdda20f1d8f3f7eab384f9378ea94f4fbdfb2b1b819adde6834143ec603b42a
                                                                                                                        • Opcode Fuzzy Hash: 948780333514182948d0fe280d65af8f20d6490c9c45b1c0a18d80c9b606dd30
                                                                                                                        • Instruction Fuzzy Hash: 21E1D2B4E01229CFDB68DFA5C954B9EBBB2BF89300F1081EAD509A7250DB345E85CF50
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07832B50 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2346110119.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7830000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: $]q
                                                                                                                        • API String ID: 0-1007455737
                                                                                                                        • Opcode ID: e920c7c014b12dc8fcc33ae91ce91290c304c3813dd336a9fc40d868b7e580e9
                                                                                                                        • Instruction ID: 9a41da64120ced89bdab82f3d556cf8c45264c02ac0eed24273ff0bce7ccfe86
                                                                                                                        • Opcode Fuzzy Hash: e920c7c014b12dc8fcc33ae91ce91290c304c3813dd336a9fc40d868b7e580e9
                                                                                                                        • Instruction Fuzzy Hash: 1571D574E01219CFDB58DFA9D494A9DBBB2FF89304F208529D415BB354DB349846CF81
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 0783AE28 Relevance: .8, Instructions: 814COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2346110119.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7830000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 320c27a2470737c935d1e7f05d21299226cbcb65ebc21ce3cb8a82197bb274d5
                                                                                                                        • Instruction ID: d5806bd884451d7ad1c94d0de53d5c081da2f05111b817d0380a98c42ce3b255
                                                                                                                        • Opcode Fuzzy Hash: 320c27a2470737c935d1e7f05d21299226cbcb65ebc21ce3cb8a82197bb274d5
                                                                                                                        • Instruction Fuzzy Hash: E08268F4B04716CFDB24CF28D958B697BF1AB48318F1081E9D9099B7A2EB349C45CB91
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07834DF0 Relevance: .5, Instructions: 525COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2346110119.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7830000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 58f933c4a42043b10b2435c336dcd08dd126d753c9970181ea9775181c31318e
                                                                                                                        • Instruction ID: 2df062c3865b283d8034c4649e1f412f7aa705e29bd95373f5a9e28e89a161da
                                                                                                                        • Opcode Fuzzy Hash: 58f933c4a42043b10b2435c336dcd08dd126d753c9970181ea9775181c31318e
                                                                                                                        • Instruction Fuzzy Hash: 5042BF74A01229CFDB65DF68C954BEEBBB2BB49300F5085E9C40AAB350DB355E85CF81
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B69A58 Relevance: .5, Instructions: 467COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 84817d0d3addfc2e635f39e63cd533f0d1f2510b2c1755eee0863a77214f9b37
                                                                                                                        • Instruction ID: f42cf728ead48aaef344afecb56ee377fd11f270a5275ebaca62d1469cf0454f
                                                                                                                        • Opcode Fuzzy Hash: 84817d0d3addfc2e635f39e63cd533f0d1f2510b2c1755eee0863a77214f9b37
                                                                                                                        • Instruction Fuzzy Hash: 2CE1CCF5B017018FEB29DB65C4587AE77EAEF8A700F1444ADD246DB290DB39E801CB61
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07831278 Relevance: .4, Instructions: 440COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2346110119.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7830000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 429f878f1a4443a4ed51582c94a678eedbde2b67939858148fc0098cc02980d1
                                                                                                                        • Instruction ID: 42ff0e5f1e37ff4c86a0b1681af1dd16933c4b8ce9ec9cb74a40b98309f675b0
                                                                                                                        • Opcode Fuzzy Hash: 429f878f1a4443a4ed51582c94a678eedbde2b67939858148fc0098cc02980d1
                                                                                                                        • Instruction Fuzzy Hash: 8E329E74E01629CFDBA5DF69C954BD9B7B2BF49300F1081EAD549A7250EB30AE85CF80
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 078308A0 Relevance: .4, Instructions: 363COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2346110119.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7830000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 077185912c22d12267adb3ad877b1085e5d9ff06d297eaf82b85e3efaee4c645
                                                                                                                        • Instruction ID: 3ba6fbe64d6b7bdd13f67cbf116cb6297dffce41d47459fd67b2c010b1d47d6e
                                                                                                                        • Opcode Fuzzy Hash: 077185912c22d12267adb3ad877b1085e5d9ff06d297eaf82b85e3efaee4c645
                                                                                                                        • Instruction Fuzzy Hash: C402B074A01229CFDBA9DF68C954B9EB7B2BF89300F1085E9C409AB350DB359E85CF51
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07834048 Relevance: .3, Instructions: 332COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2346110119.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7830000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c5cc45c6c8ab43b96ca1a5af8006d52b053357f6d74b845a91f85b8b37f76f97
                                                                                                                        • Instruction ID: f67a8b47af162e2053b42619297cf5c101978e0c05a993410eb650aeb407c716
                                                                                                                        • Opcode Fuzzy Hash: c5cc45c6c8ab43b96ca1a5af8006d52b053357f6d74b845a91f85b8b37f76f97
                                                                                                                        • Instruction Fuzzy Hash: AAF1C374A01229CFDB69DF64C950B9EBBB2FF89300F1085A9C509AB350DB355E86CF91
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07835C81 Relevance: .3, Instructions: 292COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2346110119.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7830000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 6d33d2e633b2765fc5acc33690a8c6307254680b931cb578b176154bb2c99c10
                                                                                                                        • Instruction ID: 505fe682fcc5444d426205e52e68d1ddc8865ab67fc43b5bd1ba2efd59f882e6
                                                                                                                        • Opcode Fuzzy Hash: 6d33d2e633b2765fc5acc33690a8c6307254680b931cb578b176154bb2c99c10
                                                                                                                        • Instruction Fuzzy Hash: F5D1C3B4E01218CFDB68DFA9C954B9DBBB2FF49304F1081A9D409AB350DB359986CF51
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07830438 Relevance: .3, Instructions: 287COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2346110119.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7830000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3a8390a25dd770a5459f294a98d87eda5c75c47103ec5ecc7aa379931bc8774f
                                                                                                                        • Instruction ID: a74bec2a7eee5b4fb492c126625c5a3133f770c19294399df3471f60701be28a
                                                                                                                        • Opcode Fuzzy Hash: 3a8390a25dd770a5459f294a98d87eda5c75c47103ec5ecc7aa379931bc8774f
                                                                                                                        • Instruction Fuzzy Hash: 4AD19FB4E01218CFDB64DFA9C984B9DBBB2FF89301F1091A9D409AB355DB359A81CF50
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07834688 Relevance: .3, Instructions: 271COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2346110119.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7830000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 1953e059e0f69cfd420902b1d1a4b80612c5a0be732a662fa831d784308713b3
                                                                                                                        • Instruction ID: b22b9b3d3e0c566ce38173f95f00d51a503c5bd4efb1b5e9d19e1cfdd881bc8d
                                                                                                                        • Opcode Fuzzy Hash: 1953e059e0f69cfd420902b1d1a4b80612c5a0be732a662fa831d784308713b3
                                                                                                                        • Instruction Fuzzy Hash: C3C1D8B0D012298FDB68DF69C950BDEBBB2BF89304F1085A9C44DAB250DB755E85CF90
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 0783403E Relevance: .2, Instructions: 222COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2346110119.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7830000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d01c95052f927e3178679a1e1e5b9383c3ddcc92131863b0817e93a572ff4548
                                                                                                                        • Instruction ID: bf21b027221b792c31176cac1f98aeac997aa65cc4f3844c71360edbd648f87b
                                                                                                                        • Opcode Fuzzy Hash: d01c95052f927e3178679a1e1e5b9383c3ddcc92131863b0817e93a572ff4548
                                                                                                                        • Instruction Fuzzy Hash: 97A1D474E01218DFDB68DFA5C850B9EBBB2FF85300F2081A9C409AB355DB355E868F51
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B67759 Relevance: .1, Instructions: 101COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: a8fe5456ed91a44910996ce76f6865cde942d3dbeef7f594fe2c7a30ac6cfce4
                                                                                                                        • Instruction ID: a0c3a9caa7ff7e3a7038dadac21ab760d69b2f11876d3b9768854cc094b7fca2
                                                                                                                        • Opcode Fuzzy Hash: a8fe5456ed91a44910996ce76f6865cde942d3dbeef7f594fe2c7a30ac6cfce4
                                                                                                                        • Instruction Fuzzy Hash: 8041C1B0E002098BEB58DFAAC95469EFBF2EF89300F24C16AC519AB254DB345946CF40
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 03C3D108 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 616 3c3d108-3c3d1a7 GetCurrentProcess 620 3c3d1b0-3c3d1e4 GetCurrentThread 616->620 621 3c3d1a9-3c3d1af 616->621 622 3c3d1e6-3c3d1ec 620->622 623 3c3d1ed-3c3d221 GetCurrentProcess 620->623 621->620 622->623 625 3c3d223-3c3d229 623->625 626 3c3d22a-3c3d245 call 3c3d2e9 623->626 625->626 629 3c3d24b-3c3d27a GetCurrentThreadId 626->629 630 3c3d283-3c3d2e5 629->630 631 3c3d27c-3c3d282 629->631 631->630
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 03C3D196
                                                                                                                        • GetCurrentThread.KERNEL32 ref: 03C3D1D3
                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 03C3D210
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 03C3D269
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2333108953.0000000003C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C30000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_3c30000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2063062207-0
                                                                                                                        • Opcode ID: 0d7fd39827bc626f829dc34c8941cc99e317eaff22c314d65e3925f63e6136b5
                                                                                                                        • Instruction ID: 362e6d31cf83892d49c74bcc0ca7af8a91ab1eb36203e5909aab6b917461302d
                                                                                                                        • Opcode Fuzzy Hash: 0d7fd39827bc626f829dc34c8941cc99e317eaff22c314d65e3925f63e6136b5
                                                                                                                        • Instruction Fuzzy Hash: E35189B09003498FCB45CFAAD548B9EBFF1EF49314F248459E049EB390DB359944CB65
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 03C3D118 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 638 3c3d118-3c3d1a7 GetCurrentProcess 642 3c3d1b0-3c3d1e4 GetCurrentThread 638->642 643 3c3d1a9-3c3d1af 638->643 644 3c3d1e6-3c3d1ec 642->644 645 3c3d1ed-3c3d221 GetCurrentProcess 642->645 643->642 644->645 647 3c3d223-3c3d229 645->647 648 3c3d22a-3c3d245 call 3c3d2e9 645->648 647->648 651 3c3d24b-3c3d27a GetCurrentThreadId 648->651 652 3c3d283-3c3d2e5 651->652 653 3c3d27c-3c3d282 651->653 653->652
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 03C3D196
                                                                                                                        • GetCurrentThread.KERNEL32 ref: 03C3D1D3
                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 03C3D210
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 03C3D269
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2333108953.0000000003C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C30000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_3c30000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2063062207-0
                                                                                                                        • Opcode ID: 345938dee4edf00a4bd25d9af4b9d32a32e4efe3c2b8a09ead3a84d8b24ba534
                                                                                                                        • Instruction ID: 1acb244d76a403311bdefdaa9946314fa4a6fa386db715414c431f5388ca8e82
                                                                                                                        • Opcode Fuzzy Hash: 345938dee4edf00a4bd25d9af4b9d32a32e4efe3c2b8a09ead3a84d8b24ba534
                                                                                                                        • Instruction Fuzzy Hash: 8E5188B09003098FCB54DFAAD548B9EBFF1EF49314F248459E049EB3A0DB35A944CB65
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B68E30 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44windowCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 952 7b68e30-7b68e32 953 7b68e34 952->953 954 7b68e3c-7b68ea2 PostMessageW 952->954 953->954 955 7b68ea4-7b68eaa 954->955 956 7b68eab-7b68ebf 954->956 955->956
                                                                                                                        APIs
                                                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 07B68E95
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessagePost
                                                                                                                        • String ID: W
                                                                                                                        • API String ID: 410705778-655174618
                                                                                                                        • Opcode ID: f2bb99f2082a9bc7f3c3c3a72823d4af01aed67b1c0186e90b79e5afa349b5ef
                                                                                                                        • Instruction ID: aeb854223e57d9bcb1cfc8ccc8e2e5bf86c41f992af165552ce0e4595e459635
                                                                                                                        • Opcode Fuzzy Hash: f2bb99f2082a9bc7f3c3c3a72823d4af01aed67b1c0186e90b79e5afa349b5ef
                                                                                                                        • Instruction Fuzzy Hash: 3E1106B5900249CFDB20CF99C588BDEFFF4EB48724F148459D658A7650C379A544CFA1
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B68280 Relevance: 1.6, APIs: 1, Instructions: 103windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 07B68E95
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessagePost
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 410705778-0
                                                                                                                        • Opcode ID: aef2035932106ddef7d72b25ea56dd32644264f26909912dd4878e44aaaf801f
                                                                                                                        • Instruction ID: a2bac64a2c9cd3f77c239f2c54592bcc080f729d26dd84052c8e2a2a7dcde1ac
                                                                                                                        • Opcode Fuzzy Hash: aef2035932106ddef7d72b25ea56dd32644264f26909912dd4878e44aaaf801f
                                                                                                                        • Instruction Fuzzy Hash: 323180728093E59FD711DF7CD968ADABFF4EF46214F04409BD0849B162C2789548CBEA
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 03C344F0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 03C35A49
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2333108953.0000000003C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C30000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_3c30000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Create
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2289755597-0
                                                                                                                        • Opcode ID: 1778207a78ec5d68fc244d62ace284546f7b509b991f060766e7b097f1fe3cbf
                                                                                                                        • Instruction ID: 6cfcdba2e722042fd7a5ea2fc79efdea2dbc3e59bd5456f345a96078cecec201
                                                                                                                        • Opcode Fuzzy Hash: 1778207a78ec5d68fc244d62ace284546f7b509b991f060766e7b097f1fe3cbf
                                                                                                                        • Instruction Fuzzy Hash: 4B41EEB0C00719CBDB24DFA9C884B9EBBB5FF4A304F24806AD408AB255DB756946CF91
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 03C3598D Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 03C35A49
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2333108953.0000000003C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C30000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_3c30000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Create
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2289755597-0
                                                                                                                        • Opcode ID: 504a75d0c9cb8debe81d75618308ecc51ff9076cf5db3c406c690d1e0c0fc27d
                                                                                                                        • Instruction ID: ee7a917b51aba4d663fedd988637d9a71a02ca3cb1585381d1c6572fefb75a1e
                                                                                                                        • Opcode Fuzzy Hash: 504a75d0c9cb8debe81d75618308ecc51ff9076cf5db3c406c690d1e0c0fc27d
                                                                                                                        • Instruction Fuzzy Hash: 0341EEB0C00619CBDB24DFA9C984B9EBBB5BF4A304F24806AD418BB255DB756946CF90
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B68318 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 07B68E95
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessagePost
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 410705778-0
                                                                                                                        • Opcode ID: 6f3725ccd8cd1f97ce13e7204b9027b40294cb313ed0bad906c982937bcbc39f
                                                                                                                        • Instruction ID: 77c39b08fa4abaa86db66a4ebf1fcf6eb144dd362401ece2f2f3e312b628511c
                                                                                                                        • Opcode Fuzzy Hash: 6f3725ccd8cd1f97ce13e7204b9027b40294cb313ed0bad906c982937bcbc39f
                                                                                                                        • Instruction Fuzzy Hash: 2611F5B58003499FDB20DF99C889BDEBBF8EB58710F108459E618A7600C378A944CFA1
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 011DD2B6 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenFileMappingW.KERNELBASE ref: 011DD302
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2330383938.0000000001130000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2330272588.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330284235.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330321368.0000000000E42000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330333138.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330333138.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330333138.0000000000E56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000EE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000F07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000F20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000F28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000F44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000001105000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_Notarising.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FileMappingOpen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1680863896-0
                                                                                                                        • Opcode ID: c7c9411096a7d08f17a55cb52f768575e1f7bd2ac2a7f5d258fcfdf90d378bdc
                                                                                                                        • Instruction ID: 06c0fe0b6a5869518a6efca3f4a803a292bfdc8639b0990156daaf376112db45
                                                                                                                        • Opcode Fuzzy Hash: c7c9411096a7d08f17a55cb52f768575e1f7bd2ac2a7f5d258fcfdf90d378bdc
                                                                                                                        • Instruction Fuzzy Hash: 7AE09AB110C30CEBCA2D3985EC45B7AF3A8AB40211F0A002D879203240FB31A8548AEF
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 01204345 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNELBASE(?), ref: 0120481E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2330383938.0000000001130000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2330272588.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330284235.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330321368.0000000000E42000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330333138.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330333138.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330333138.0000000000E56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000EE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000F07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000F20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000F28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000F44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.00000000010FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2330383938.0000000001105000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_Notarising.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFile
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 823142352-0
                                                                                                                        • Opcode ID: 51e19f277f37ffa1fd443258036b5762b7f318e2df9a9c551d57869dbde5921e
                                                                                                                        • Instruction ID: 2ae6cd07dcb02f7657387a5999859b290433c5dbfd1f888fca99e2f0d9da75e9
                                                                                                                        • Opcode Fuzzy Hash: 51e19f277f37ffa1fd443258036b5762b7f318e2df9a9c551d57869dbde5921e
                                                                                                                        • Instruction Fuzzy Hash: E7D0C77013C7C8E7D72F7B948C06738B6B89F00301F05C615DB5616192EBB46A64C6DB
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 03AAD774 Relevance: .1, Instructions: 77COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2332783507.0000000003AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AAD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_3aad000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c8549b0e0ac294cec74296a367325e90b3f5dbc8c648c82a83d1f85410ae1039
                                                                                                                        • Instruction ID: 7b5167fea62db109cb59aabad2f68a69a7f6f09d633cfdb0d80bee45317bb1ed
                                                                                                                        • Opcode Fuzzy Hash: c8549b0e0ac294cec74296a367325e90b3f5dbc8c648c82a83d1f85410ae1039
                                                                                                                        • Instruction Fuzzy Hash: 2B210672500640EFCB05CF58D9D0F26BFA5FB8C314F2485AEE9890B666C33AD416CBA1
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 03AAD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2332783507.0000000003AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AAD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_3aad000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: bda4803cc84e282457f035ca4c1017b8baedab8879909a3a916faaef74e3bc70
                                                                                                                        • Instruction ID: 16feba0261eb550f5161ae6b4923ce2d875e2d0520bc8e0d5f4c02f686783e71
                                                                                                                        • Opcode Fuzzy Hash: bda4803cc84e282457f035ca4c1017b8baedab8879909a3a916faaef74e3bc70
                                                                                                                        • Instruction Fuzzy Hash: C8213672100604DFDB05DF18C9C0B26FF69FBA8314F24C1AED9490B616C33AE446C6A1
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 03ABD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2332821494.0000000003ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03ABD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_3abd000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 69c7013ce81a6dca0dcde4f934c63d2331e84af4ce40e537b1481203c84d6f0a
                                                                                                                        • Instruction ID: d9daff043790277803d3eb49fd5054cb1e1d5782fda1fa9cb1cf751f3057a9a3
                                                                                                                        • Opcode Fuzzy Hash: 69c7013ce81a6dca0dcde4f934c63d2331e84af4ce40e537b1481203c84d6f0a
                                                                                                                        • Instruction Fuzzy Hash: C921F275604244DFCB14DF24D984B66BF79FB88314F24C5AED90A4B257C33AD847CA61
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 03ABD007 Relevance: .1, Instructions: 61COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2332821494.0000000003ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03ABD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_3abd000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d46303e87ae45c7ef986687b676c1b3203a30a770528e84706373b3919e70a65
                                                                                                                        • Instruction ID: e9a46e17b23f8658fb62ba99061af83555801ba5664a771d41c878981f018db4
                                                                                                                        • Opcode Fuzzy Hash: d46303e87ae45c7ef986687b676c1b3203a30a770528e84706373b3919e70a65
                                                                                                                        • Instruction Fuzzy Hash: 2F219D755093808FCB02CF24D994B15BF71EB46214F28C5EFD8498F6A7C33A980ACB62
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 03AAD76F Relevance: .1, Instructions: 58COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2332783507.0000000003AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AAD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_3aad000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 2e04b644a7838c5ce6bce34d941609046b64e90dbb87fcee773936ede6a2c397
                                                                                                                        • Instruction ID: bd8733e99dd01acbe914a23a7bc384b7b72710ee86444978708e2764fcad1e06
                                                                                                                        • Opcode Fuzzy Hash: 2e04b644a7838c5ce6bce34d941609046b64e90dbb87fcee773936ede6a2c397
                                                                                                                        • Instruction Fuzzy Hash: AC21A276504680DFCB16CF14D9C4B16BF72FB88314F28C6AED9480B626C33AD456DB91
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 03AAD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2332783507.0000000003AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AAD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_3aad000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 7b54bb84eaa7aa8c3f09590ffd1acec677623e6eec99b9d5111f11c645d4517b
                                                                                                                        • Instruction ID: 7dd046b82cd6fee9d78a5baa6eda4c6a08718609f55f9884fdd6d595e6b73c5b
                                                                                                                        • Opcode Fuzzy Hash: 7b54bb84eaa7aa8c3f09590ffd1acec677623e6eec99b9d5111f11c645d4517b
                                                                                                                        • Instruction Fuzzy Hash: C011DF76404640CFDB02CF04D5C4B16FF61FB94324F28C6AED9490B616C33AE45ACBA2
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 03AAD9C5 Relevance: .0, Instructions: 45COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2332783507.0000000003AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AAD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_3aad000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: a2a691c3a52023892b622175a17e3f8f18bd14ce7d5c3725ab8c559a654bf8ee
                                                                                                                        • Instruction ID: 2c2f635185d300f028d9cc14d885a832c6976d59e2de8f025a34fba9bab0eec2
                                                                                                                        • Opcode Fuzzy Hash: a2a691c3a52023892b622175a17e3f8f18bd14ce7d5c3725ab8c559a654bf8ee
                                                                                                                        • Instruction Fuzzy Hash: 64018432008B449AD720CB1EC994B66FFACEF45324F18C46FED484BA56C7799841C671
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 03AAD9C4 Relevance: .0, Instructions: 36COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2332783507.0000000003AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AAD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_3aad000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 19d6323bdcfdb4cce32bc04e2e9e254fb7c6a6aefea99a12945b21010a95b3cc
                                                                                                                        • Instruction ID: fe462213ea8b2a41d4f818ba341f7ccd7b5ccd55aef4a9d4d5ed17afd9698f27
                                                                                                                        • Opcode Fuzzy Hash: 19d6323bdcfdb4cce32bc04e2e9e254fb7c6a6aefea99a12945b21010a95b3cc
                                                                                                                        • Instruction Fuzzy Hash: 77F06272408744AEE7208F1ED988B66FF98EF45724F18C45EED484B696C3799844CA71
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Non-executed Functions

                                                                                                                        Function 07B61518 Relevance: 1.6, Strings: 1, Instructions: 379COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: Haq
                                                                                                                        • API String ID: 0-725504367
                                                                                                                        • Opcode ID: 3740e74885d730ceb7a30d45bb5d1c1c3e6f84a68d3f137bce3b325ec3929938
                                                                                                                        • Instruction ID: f8668cefe966a73988b530bc8d7bb9247f69d5330b28dc4521db4dded6d18795
                                                                                                                        • Opcode Fuzzy Hash: 3740e74885d730ceb7a30d45bb5d1c1c3e6f84a68d3f137bce3b325ec3929938
                                                                                                                        • Instruction Fuzzy Hash: B0E1B2B0A0426E8BDB15CF79C4441ADFBF1AF86301F14C6A6D546EB240E778DA85CB91
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B67118 Relevance: 1.6, Strings: 1, Instructions: 313COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: $]q
                                                                                                                        • API String ID: 0-1007455737
                                                                                                                        • Opcode ID: 0611d26e2547292e0d49e3a2745c22515f299020393d609269ce6764723b68eb
                                                                                                                        • Instruction ID: 8038b6155ca5296af459c094daf0665e359202c26db95fb677d6558676c6a44e
                                                                                                                        • Opcode Fuzzy Hash: 0611d26e2547292e0d49e3a2745c22515f299020393d609269ce6764723b68eb
                                                                                                                        • Instruction Fuzzy Hash: 74E1A474E012188FDB58DFA8C950B9DBBB2FF49300F6085AAC51AAB354DB359D86CF50
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B65DE8 Relevance: .5, Instructions: 528COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c222687b94fde82859fa799c5159a16cd5495d2079cd9b31773ca6b71f840499
                                                                                                                        • Instruction ID: 085a4fc4ddccdb6468eca42d0e1a585e31b859ec35a5897011b820a10c508fe4
                                                                                                                        • Opcode Fuzzy Hash: c222687b94fde82859fa799c5159a16cd5495d2079cd9b31773ca6b71f840499
                                                                                                                        • Instruction Fuzzy Hash: 65429EB4A012288FDB68DF64C994BDDBBB2FF49304F1085E9D549AB260DB349E85CF50
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B60808 Relevance: .3, Instructions: 328COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 8602f7745136bccc53317a3bb3cea6dc8f4f2eae94c635eafc8ea19f80bb1c29
                                                                                                                        • Instruction ID: bc3b6638611d088f95bd593c4c12b4f0ff14beca8ff07b78c221ce87189a8cc2
                                                                                                                        • Opcode Fuzzy Hash: 8602f7745136bccc53317a3bb3cea6dc8f4f2eae94c635eafc8ea19f80bb1c29
                                                                                                                        • Instruction Fuzzy Hash: A8E191B4E01228CFDB65DFA5C950B9DBBB2FF49300F5081AAC50AAB251DB355E85CF50
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B60040 Relevance: .3, Instructions: 322COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: ab60a530cd57bab319d27aaf4a33ce3f778746cd33d1aa0bffee9d72bed0cfb8
                                                                                                                        • Instruction ID: 229aded5ba3a3e0c1c84b09c480c5b63364459fd64f7f45ce81610460f11843c
                                                                                                                        • Opcode Fuzzy Hash: ab60a530cd57bab319d27aaf4a33ce3f778746cd33d1aa0bffee9d72bed0cfb8
                                                                                                                        • Instruction Fuzzy Hash: 4CF1A1B4E01228CFDB68DF65C984B9DBBB2FB49300F1085AAD519AB350DB759E81CF50
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B61980 Relevance: .3, Instructions: 309COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 6c459015480fe8a422c611d647bf35d742d3d207f68dca014dafe1f194ceba7c
                                                                                                                        • Instruction ID: 6a97917bdf5570eccf702f17cb1f0899ef971419964ef877ca3bfcd875c9b721
                                                                                                                        • Opcode Fuzzy Hash: 6c459015480fe8a422c611d647bf35d742d3d207f68dca014dafe1f194ceba7c
                                                                                                                        • Instruction Fuzzy Hash: 2FE1C1B4E01229CFDB64DF65C994B9EBBB2BF89300F1085AAC509A7350DB345E85CF51
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07831F10 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2346110119.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7830000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c46f94d6b608140f32ad22974e78c9d278aa26951bc106ad39892eda7079018f
                                                                                                                        • Instruction ID: d332131fe2721e2914eacc659e081fff2ed49e754e8a2a916cac088c3e79b8ab
                                                                                                                        • Opcode Fuzzy Hash: c46f94d6b608140f32ad22974e78c9d278aa26951bc106ad39892eda7079018f
                                                                                                                        • Instruction Fuzzy Hash: A1C1B074E01218CFDB58DFA9C890A9DBBB2FF89300F2085AAD409AB355DB355D86CF51
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 03C3DCD4 Relevance: .3, Instructions: 264COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2333108953.0000000003C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C30000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_3c30000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3937a677c8cff8f90f1653d718801774fd7c1cf285d8601cbb8f3f8b26178fbe
                                                                                                                        • Instruction ID: 748de340ee571f3e9f05b537829a9abaeb4a6e9e731754bfedc2c33c6d0227c5
                                                                                                                        • Opcode Fuzzy Hash: 3937a677c8cff8f90f1653d718801774fd7c1cf285d8601cbb8f3f8b26178fbe
                                                                                                                        • Instruction Fuzzy Hash: 05A14B36E00209CFCF05DFB5D8445AEB7B2BF85300B1945AAE806EF265DB31E955CB90
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07831F20 Relevance: .3, Instructions: 257COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2346110119.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7830000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 0963ccd66ae7ce5abf98a738b12a11e2271e63113acb2ce081e967dc14329772
                                                                                                                        • Instruction ID: ee5f4d95473a80ad9222712ac9e4742076686b20f89a5cd6dfd2a67370147382
                                                                                                                        • Opcode Fuzzy Hash: 0963ccd66ae7ce5abf98a738b12a11e2271e63113acb2ce081e967dc14329772
                                                                                                                        • Instruction Fuzzy Hash: 21C19F74E01218CFDB58DFA9C990A9DBBB2FF89300F2085AAD419AB354DB345D86CF51
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B60E6A Relevance: .2, Instructions: 244COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 32b1ff6e7ce1e20ac14d3f9db6275b145d3c2cf373b635ba54e4ccc717bc492d
                                                                                                                        • Instruction ID: f8133eaecb583712d53514720bb1f00e71485865d42315d704473d637e6f7efe
                                                                                                                        • Opcode Fuzzy Hash: 32b1ff6e7ce1e20ac14d3f9db6275b145d3c2cf373b635ba54e4ccc717bc492d
                                                                                                                        • Instruction Fuzzy Hash: 14B1B1B4E01218CFDB68DFA5C954A9DBBB2FF89300F2080A9D509AB354DB359D86CF41
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07834678 Relevance: .2, Instructions: 196COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2346110119.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7830000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: ac92ecdedba645105ed4ad2a225dca64b57757d72750ef315db4032680b1191d
                                                                                                                        • Instruction ID: 56edf4c6c367448f95ddcf1e173a2ae98cc84f02c37bf611c2e5b8c871994c0a
                                                                                                                        • Opcode Fuzzy Hash: ac92ecdedba645105ed4ad2a225dca64b57757d72750ef315db4032680b1191d
                                                                                                                        • Instruction Fuzzy Hash: 3F91EA70D012298FDB69DF69C9507DEBBB2BF89300F1085EAC549AB250DB315E85CF50
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B649B8 Relevance: .2, Instructions: 195COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 93a8281a4d37bdb4e73a2d5f36ab0c29605f7cb385b70f71de82cd416cc3c0be
                                                                                                                        • Instruction ID: ae388adf02b7860c42fcba369d74fe63d146f4f498b9d522696b1221785ed621
                                                                                                                        • Opcode Fuzzy Hash: 93a8281a4d37bdb4e73a2d5f36ab0c29605f7cb385b70f71de82cd416cc3c0be
                                                                                                                        • Instruction Fuzzy Hash: 3891D5B4E012288FDB68DFA5C954B9EBBB2FF89300F5081EAC509A7250DB354E85CF51
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B65207 Relevance: .2, Instructions: 151COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 95657b77d3c147b598e67d216846a7c5c772d6e1c28ec0e6762cd592de8a1124
                                                                                                                        • Instruction ID: b85e3c6c0ef02b924dee5334d1153ed71f773a7c35c0d2a6f7ed0bfa739163ad
                                                                                                                        • Opcode Fuzzy Hash: 95657b77d3c147b598e67d216846a7c5c772d6e1c28ec0e6762cd592de8a1124
                                                                                                                        • Instruction Fuzzy Hash: 5A61E4B4A01218CFDB68DF65C950B9EBBB2FF89300F1481E9D509AB251DB345E96CF81
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B60006 Relevance: .1, Instructions: 115COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: def155b34810619484d13bae8e7f2b658cae789352ebc9df486491635cf1a71d
                                                                                                                        • Instruction ID: 77bd4047fe3f31406b1519bb91997f8d720216f518ac3a24b176b7f43f22ae50
                                                                                                                        • Opcode Fuzzy Hash: def155b34810619484d13bae8e7f2b658cae789352ebc9df486491635cf1a71d
                                                                                                                        • Instruction Fuzzy Hash: A24139B5D053588FDB19DFAAC8407DDBBF2BF89300F1480AAC449AB251DB340949CF50
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07830429 Relevance: .1, Instructions: 88COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2346110119.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7830000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 734f560b54ccae634a16e77ba73664ac40a640a900164888673266599cf7db25
                                                                                                                        • Instruction ID: f303213bbf4075dca57204fb556ad1e066621652834e4ab7ef343f42b1c0e155
                                                                                                                        • Opcode Fuzzy Hash: 734f560b54ccae634a16e77ba73664ac40a640a900164888673266599cf7db25
                                                                                                                        • Instruction Fuzzy Hash: 2831B4B5E046588BEB18CFABD8406DEFBF7AFC9304F14D12AD408AB255DB305946CB91
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B61970 Relevance: .1, Instructions: 84COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 2029aaddb4371f33c8892b21597a93325a5f714cf2aed0ffc4ac7b51bc13c1c3
                                                                                                                        • Instruction ID: a37d81ee4af7c1cb5e52184973d8004ebfe77f68e90464a8d8bbd02691ae25cd
                                                                                                                        • Opcode Fuzzy Hash: 2029aaddb4371f33c8892b21597a93325a5f714cf2aed0ffc4ac7b51bc13c1c3
                                                                                                                        • Instruction Fuzzy Hash: 7B3126B5D002188BEB28CF6AD9457DEFBB2AF89300F10C1AAD519A7251DB300985CF40
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 07B64914 Relevance: .0, Instructions: 25COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2347118557.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7b60000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 2f7a18dbec5443d433f35de43ba860531c727a684bfc2551c737a2f97649fecf
                                                                                                                        • Instruction ID: 2d7980a6c1f7509644d6b8c445a4f08d7387412300970e09639e4870638781da
                                                                                                                        • Opcode Fuzzy Hash: 2f7a18dbec5443d433f35de43ba860531c727a684bfc2551c737a2f97649fecf
                                                                                                                        • Instruction Fuzzy Hash: FAF0C9B0894659CEEB249F51D84CBBEBA70EB07315F101499C21673190DB784785CF84
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                        Function 078356D9 Relevance: .0, Instructions: 25COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2346110119.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7830000_Notarising.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d6c92934e8b2c425afda0ed4494eaed414ff59eda70239ed28b8d0dd5ca7e7b7
                                                                                                                        • Instruction ID: e893646c44c16c1c79dedc66d6a5fe5d0d0d119a997ff97fba680f39b424ba03
                                                                                                                        • Opcode Fuzzy Hash: d6c92934e8b2c425afda0ed4494eaed414ff59eda70239ed28b8d0dd5ca7e7b7
                                                                                                                        • Instruction Fuzzy Hash: E3E092B0D6920EDADB148F75C0117BFF7706B52208F2058458805B3244DB744B548FE3
                                                                                                                        Uniqueness

                                                                                                                        Uniqueness Score: -1.00%