Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
44QHzbqD3m.exe

Overview

General Information

Sample name:44QHzbqD3m.exe
renamed because original name is a hash value
Original sample name:11ae7e8293ed1c199cde872ee52d910d.exe
Analysis ID:1430977
MD5:11ae7e8293ed1c199cde872ee52d910d
SHA1:e8acbfe5d1015b5554237749e5d270bc2efbf0ab
SHA256:0d28a4525dba00368e0a1a146b0c1e75656215338358a7dbd65ee5ca2508cacf
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic
Yara detected RedLine Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Installs new ROOT certificates
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • 44QHzbqD3m.exe (PID: 6344 cmdline: "C:\Users\user\Desktop\44QHzbqD3m.exe" MD5: 11AE7E8293ED1C199CDE872EE52D910D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["103.113.70.99:2630"], "Bot Id": "spoo", "Authorization Header": "a442868c38da8722ebccd4819def00b2"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
44QHzbqD3m.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1635191784.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000000.00000002.1807370130.000000000339A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Process Memory Space: 44QHzbqD3m.exe PID: 6344JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 1 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.44QHzbqD3m.exe.df0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:04/24/24-12:37:07.455958
                    SID:2046056
                    Source Port:2630
                    Destination Port:49730
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-12:37:01.914552
                    SID:2046045
                    Source Port:49730
                    Destination Port:2630
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-12:37:15.327587
                    SID:2043231
                    Source Port:49730
                    Destination Port:2630
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-12:37:02.151800
                    SID:2043234
                    Source Port:2630
                    Destination Port:49730
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 44QHzbqD3m.exeMalware Configuration Extractor: RedLine {"C2 url": ["103.113.70.99:2630"], "Bot Id": "spoo", "Authorization Header": "a442868c38da8722ebccd4819def00b2"}
                    Source: 44QHzbqD3m.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 44QHzbqD3m.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: c29d93bf0}.Tntkrnlmp.pdb source: 44QHzbqD3m.exe, 00000000.00000002.1814405574.0000000006E30000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: WINLOA~1.PDBwinload_prod.pdbF@ source: 44QHzbqD3m.exe, 00000000.00000002.1814405574.0000000006E30000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 4x nop then jmp 07E1B488h0_2_07E1AF90
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 4x nop then jmp 07E17242h0_2_07E16F90
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 4x nop then jmp 07E183F7h0_2_07E17C98
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 4x nop then jmp 07E17BF4h0_2_07E17930

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49730 -> 103.113.70.99:2630
                    Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49730 -> 103.113.70.99:2630
                    Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 103.113.70.99:2630 -> 192.168.2.4:49730
                    Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 103.113.70.99:2630 -> 192.168.2.4:49730
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 103.113.70.99:2630
                    Source: global trafficTCP traffic: 192.168.2.4:49730 -> 103.113.70.99:2630
                    Source: Joe Sandbox ViewIP Address: 103.113.70.99 103.113.70.99
                    Source: Joe Sandbox ViewASN Name: NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce4
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.000000000339A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15V
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmp, 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmp, 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Responseus
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.00000000032FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmp, 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmp, 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.000000000339A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmp, 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmp, 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.000000000339A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4rA
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003387000.00000004.00000800.00020000.00000000.sdmp, 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003387000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.00000000032FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                    Source: 44QHzbqD3m.exeString found in binary or memory: https://api.ip.sb/ip
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp7E60.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp7E50.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_055DDC740_2_055DDC74
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_06A367D80_2_06A367D8
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_06A3A3E80_2_06A3A3E8
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_06A3A3D80_2_06A3A3D8
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_06A36FE80_2_06A36FE8
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_06A36FF80_2_06A36FF8
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_07E1A2E00_2_07E1A2E0
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_07E1AF900_2_07E1AF90
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_07E16F900_2_07E16F90
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_07E18D380_2_07E18D38
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_07E1CC280_2_07E1CC28
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_07E168E80_2_07E168E8
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_07E1DD780_2_07E1DD78
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_07E17C980_2_07E17C98
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_07E1A2DD0_2_07E1A2DD
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_07E14E480_2_07E14E48
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_07E14E370_2_07E14E37
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 44QHzbqD3m.exe
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1806623028.000000000156E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 44QHzbqD3m.exe
                    Source: 44QHzbqD3m.exe, 00000000.00000000.1635219062.0000000000E36000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUpspearing.exe8 vs 44QHzbqD3m.exe
                    Source: 44QHzbqD3m.exeBinary or memory string: OriginalFilenameUpspearing.exe8 vs 44QHzbqD3m.exe
                    Source: 44QHzbqD3m.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/5@0/1
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp7E50.tmpJump to behavior
                    Source: 44QHzbqD3m.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 44QHzbqD3m.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003685000.00000004.00000800.00020000.00000000.sdmp, 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003677000.00000004.00000800.00020000.00000000.sdmp, 44QHzbqD3m.exe, 00000000.00000002.1807370130.000000000365F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: esdsip.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                    Source: Google Chrome.lnk.0.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: 44QHzbqD3m.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 44QHzbqD3m.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: 44QHzbqD3m.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: c29d93bf0}.Tntkrnlmp.pdb source: 44QHzbqD3m.exe, 00000000.00000002.1814405574.0000000006E30000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: WINLOA~1.PDBwinload_prod.pdbF@ source: 44QHzbqD3m.exe, 00000000.00000002.1814405574.0000000006E30000.00000004.00000020.00020000.00000000.sdmp
                    Source: 44QHzbqD3m.exeStatic PE information: 0xF0DBE6BE [Sun Jan 19 04:14:54 2098 UTC]
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_06A240AD push ebx; retn FC07h0_2_06A2430A
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_06A21DAE push FFFFFF8Bh; retf 0_2_06A21DB1
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_06A23BDC push E806F64Ah; retf 0_2_06A23BE1
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_06A3C711 push es; ret 0_2_06A3C720
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_06A3D412 push es; ret 0_2_06A3D420
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_06A3E060 push es; ret 0_2_06A3E070
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_06A3ECF2 push eax; ret 0_2_06A3ED01
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_06A33B4F push dword ptr [esp+ecx*2-75h]; ret 0_2_06A33B53
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_06A349AB push FFFFFF8Bh; retf 0_2_06A349AD
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_07E12060 pushfd ; iretd 0_2_07E120D5

                    Persistence and Installation Behavior

                    barindex
                    Installs new ROOT certificates
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeMemory allocated: 17B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeMemory allocated: 3190000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeMemory allocated: 17B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeWindow / User API: threadDelayed 977Jump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeWindow / User API: threadDelayed 2723Jump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exe TID: 3624Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exe TID: 6536Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1814405574.0000000006DED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeCode function: 0_2_07E18D38 LdrInitializeThunk,0_2_07E18D38
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeQueries volume information: C:\Users\user\Desktop\44QHzbqD3m.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1819047477.0000000007C95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 44QHzbqD3m.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.44QHzbqD3m.exe.df0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1635191784.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 44QHzbqD3m.exe PID: 6344, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1806697791.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1806697791.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003387000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.000000000339A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLRdq
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1806697791.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets\*m
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.000000000339A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $dq%appdata%`,dqdC:\Users\user\AppData\Roaming`,dqdC:\Users\user\AppData\Roaming\Binance
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1806697791.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets\*m
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1814405574.0000000006DD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\*]?
                    Source: 44QHzbqD3m.exe, 00000000.00000002.1807370130.000000000339A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $dq5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Users\user\Desktop\44QHzbqD3m.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: Yara matchFile source: 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1807370130.000000000339A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 44QHzbqD3m.exe PID: 6344, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 44QHzbqD3m.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.44QHzbqD3m.exe.df0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1635191784.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 44QHzbqD3m.exe PID: 6344, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		231
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol3
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                    Virtualization/Sandbox Evasion                    		Security Account Manager241
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                    Obfuscated Files or Information                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Install Root Certificate                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Timestomp                    		Cached Domain Credentials113
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    No Antivirus matches

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ip.sb/ip0%URL Reputationsafe
                    http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15V0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id14ResponseD2%VirustotalBrowse
                    http://tempuri.org/Entity/Id2Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id23ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21Response4%VirustotalBrowse
                    http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id91%VirustotalBrowse
                    http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15V1%VirustotalBrowse
                    http://tempuri.org/2%VirustotalBrowse
                    http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id51%VirustotalBrowse
                    http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id12Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id71%VirustotalBrowse
                    http://tempuri.org/Entity/Id15Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id5ResponseD2%VirustotalBrowse
                    http://tempuri.org/Entity/Id81%VirustotalBrowse
                    http://tempuri.org/Entity/Id61%VirustotalBrowse
                    http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id19Responseus0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id1ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id211%VirustotalBrowse
                    http://tempuri.org/Entity/Id231%VirustotalBrowse
                    http://tempuri.org/Entity/Id221%VirustotalBrowse
                    http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id241%VirustotalBrowse
                    http://tempuri.org/Entity/Id201%VirustotalBrowse
                    http://tempuri.org/Entity/Id9Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id13ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id4rA0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id1Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id111%VirustotalBrowse
                    http://tempuri.org/Entity/Id10ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id24Response1%VirustotalBrowse
                    http://tempuri.org/Entity/Id101%VirustotalBrowse
                    http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id121%VirustotalBrowse
                    http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id131%VirustotalBrowse
                    http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id16Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id181%VirustotalBrowse
                    http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id171%VirustotalBrowse
                    http://tempuri.org/Entity/Id141%VirustotalBrowse
                    http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id161%VirustotalBrowse
                    http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id151%VirustotalBrowse
                    http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id8ResponseD0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sct44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id14ResponseD44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id23ResponseD44QHzbqD3m.exe, 00000000.00000002.1807370130.000000000339A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id12Response44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id2Response44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id15V44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha144QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id21Response44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmp, 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 4%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id944QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 1%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id844QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id6ResponseD44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003387000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id544QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id744QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id644QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce444QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id13ResponseD44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • 1%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/fault44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://tempuri.org/Entity/Id15Response44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • 2%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://tempuri.org/Entity/Id5ResponseD44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • 2%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp944QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/Entity/Id6Response44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003387000.00000004.00000800.00020000.00000000.sdmp, 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • 2%, Virustotal, Browse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://api.ip.sb/ip44QHzbqD3m.exefalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/04/sc44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id1ResponseD44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • 1%, Virustotal, Browse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id9Response44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • 2%, Virustotal, Browse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://tempuri.org/Entity/Id19Responseus44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://tempuri.org/Entity/Id2044QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • 1%, Virustotal, Browse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://tempuri.org/Entity/Id2144QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • 1%, Virustotal, Browse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://tempuri.org/Entity/Id2244QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • 1%, Virustotal, Browse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA144QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id2344QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmp, 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 1%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA144QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id2444QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 1%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id24Response44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • 1%, Virustotal, Browse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://tempuri.org/Entity/Id1Response44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • 2%, Virustotal, Browse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id21ResponseD44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • 1%, Virustotal, Browse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://tempuri.org/Entity/Id4rA44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/04/trust44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Entity/Id1044QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • 1%, Virustotal, Browse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id1144QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • 1%, Virustotal, Browse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id10ResponseD44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • 1%, Virustotal, Browse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id1244QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • 1%, Virustotal, Browse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id16Response44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • 2%, Virustotal, Browse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id1344QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id1444QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id1544QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id1644QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id1744QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmp, 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id1844QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id5Response44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id1944QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmp, 44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id15ResponseD44QHzbqD3m.exe, 00000000.00000002.1807370130.000000000339A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id10Response44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/Renew44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id11ResponseD44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id8Response44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.044QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2006/02/addressingidentity44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id17ResponseD44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/soap/envelope/44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id8ResponseD44QHzbqD3m.exe, 00000000.00000002.1807370130.00000000032FD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey44QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA144QHzbqD3m.exe, 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high

                                                                                                                          World Map of Contacted IPs

                                                                                                                          • No. of IPs < 25%
                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                          • 75% < No. of IPs

                                                                                                                          Public IPs

                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                          103.113.70.99
                                                                                                                          		unknownIndia
                                                                                                                          		133973NETCONNECTWIFI-ASNetConnectWifiPvtLtdINtrue

                                                                                                                          General Information

                                                                                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                          Analysis ID:1430977
                                                                                                                          Start date and time:2024-04-24 12:36:12 +02:00
                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                          Overall analysis duration:0h 3m 59s
                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                          Report type:full
                                                                                                                          Cookbook file name:default.jbs
                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                          Number of analysed new started processes analysed:4
                                                                                                                          Number of new started drivers analysed:0
                                                                                                                          Number of existing processes analysed:0
                                                                                                                          Number of existing drivers analysed:0
                                                                                                                          Number of injected processes analysed:0
                                                                                                                          Technologies:
                                                                                                                          • HCA enabled
                                                                                                                          • EGA enabled
                                                                                                                          • AMSI enabled
                                                                                                                          Analysis Mode:default
                                                                                                                          Analysis stop reason:Timeout
                                                                                                                          Sample name:44QHzbqD3m.exe
                                                                                                                          renamed because original name is a hash value
                                                                                                                          Original Sample Name:11ae7e8293ed1c199cde872ee52d910d.exe
                                                                                                                          Detection:MAL
                                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@1/5@0/1
                                                                                                                          EGA Information:
                                                                                                                          • Successful, ratio: 100%
                                                                                                                          HCA Information:
                                                                                                                          • Successful, ratio: 99%
                                                                                                                          • Number of executed functions: 83
                                                                                                                          • Number of non-executed functions: 7
                                                                                                                          Cookbook Comments:
                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                          • Stop behavior analysis, all processes terminated

                                                                                                                          Warnings

                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                          Simulations

                                                                                                                          Behavior and APIs

                                                                                                                          TimeTypeDescription
                                                                                                                          12:37:12API Interceptor21x Sleep call for process: 44QHzbqD3m.exe modified

                                                                                                                          Joe Sandbox View / Context

                                                                                                                          IPs

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          103.113.70.993q1lESMAMh.exeGet hashmaliciousRedLineBrowse
                                                                                                                            fkmfYBX2c6.exeGet hashmaliciousRedLineBrowse
                                                                                                                              IcDaW5Yzvb.exeGet hashmaliciousRedLineBrowse
                                                                                                                                W8Q1QyZc1j.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  W8Q1QyZc1j.exeGet hashmaliciousRedLineBrowse

                                                                                                                                    Domains

                                                                                                                                    No context

                                                                                                                                    ASNs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN3q1lESMAMh.exeGet hashmaliciousRedLineBrowse
                                                                                                                                    • 103.113.70.99
                                                                                                                                    fkmfYBX2c6.exeGet hashmaliciousRedLineBrowse
                                                                                                                                    • 103.113.70.99
                                                                                                                                    IcDaW5Yzvb.exeGet hashmaliciousRedLineBrowse
                                                                                                                                    • 103.113.70.99
                                                                                                                                    W8Q1QyZc1j.exeGet hashmaliciousRedLineBrowse
                                                                                                                                    • 103.113.70.99
                                                                                                                                    W8Q1QyZc1j.exeGet hashmaliciousRedLineBrowse
                                                                                                                                    • 103.113.70.99
                                                                                                                                    https://www.wsj.pm/download.phpGet hashmaliciousNetSupport RATBrowse
                                                                                                                                    • 103.113.70.37
                                                                                                                                    3A8YbQ0RZ7.dllGet hashmaliciousQbotBrowse
                                                                                                                                    • 103.113.68.33
                                                                                                                                    onuxDag8Co.exeGet hashmaliciousLummaC Stealer, RedLine, SectopRATBrowse
                                                                                                                                    • 103.113.68.183
                                                                                                                                    wssays.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 103.113.70.18
                                                                                                                                    sgiydd.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 103.113.70.18

                                                                                                                                    JA3 Fingerprints

                                                                                                                                    No context

                                                                                                                                    Dropped Files

                                                                                                                                    No context

                                                                                                                                    Created / dropped Files

                                                                                                                                    C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\44QHzbqD3m.exe
                                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:29 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):2104
                                                                                                                                    Entropy (8bit):3.4564792794500083
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:8ScdZTBnGRYrnvPdAKRkdAGdAKRFdAKR/U:8SaZ
                                                                                                                                    MD5:FCE7466A1C22ACAE692515C30151C8E8
                                                                                                                                    SHA1:9659EE5D69142F1B6C780D9BA44EC778DF320788
                                                                                                                                    SHA-256:648C9601A556E291DD3DE69FEA9821905C2C23FBC78D1E4FEA51F5C37135DA18
                                                                                                                                    SHA-512:6868001C445423E7B8B7B5924BF5F9591CCF14368BBD54CED429642017E239C617A398A14F9C01CD6AB503DD7824D29E543E55BD499CD186044602C60F576406
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:low
                                                                                                                                    Preview:L..................F.@.. ......,....9zV........q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IDW5`....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWO`....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWO`....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWO`..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDWI`..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\44QHzbqD3m.exe.log

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\44QHzbqD3m.exe
                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):3274
                                                                                                                                    Entropy (8bit):5.3318368586986695
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
                                                                                                                                    MD5:0B2E58EF6402AD69025B36C36D16B67F
                                                                                                                                    SHA1:5ECC642327EF5E6A54B7918A4BD7B46A512BF926
                                                                                                                                    SHA-256:4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
                                                                                                                                    SHA-512:1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                    C:\Users\user\AppData\Local\Temp\Tmp7E50.tmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\44QHzbqD3m.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):2662
                                                                                                                                    Entropy (8bit):7.8230547059446645
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                    MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                    SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                    SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                    SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                    Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                    C:\Users\user\AppData\Local\Temp\Tmp7E60.tmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\44QHzbqD3m.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):2662
                                                                                                                                    Entropy (8bit):7.8230547059446645
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                    MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                    SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                    SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                    SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                    Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\44QHzbqD3m.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):2251
                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3::
                                                                                                                                    MD5:0158FE9CEAD91D1B027B795984737614
                                                                                                                                    SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                                                                                                                                    SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                                                                                                                                    SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    Static File Info

                                                                                                                                    General

                                                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                    Entropy (8bit):5.072480224114925
                                                                                                                                    TrID:
                                                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                    File name:44QHzbqD3m.exe
                                                                                                                                    File size:312'093 bytes
                                                                                                                                    MD5:11ae7e8293ed1c199cde872ee52d910d
                                                                                                                                    SHA1:e8acbfe5d1015b5554237749e5d270bc2efbf0ab
                                                                                                                                    SHA256:0d28a4525dba00368e0a1a146b0c1e75656215338358a7dbd65ee5ca2508cacf
                                                                                                                                    SHA512:716565498fb3d68927b2145ca16bc7e4d44eb60ace7e590180832d512352198289de0942bbfc434438a19f2d1d22c2aeba5b0262ad7184f726bc8835d2e22982
                                                                                                                                    SSDEEP:6144:/qY6irwP7YfmrYiJv7TAPAzdcZqf7DI/L:/nwPkiJvGAzdcUzs/
                                                                                                                                    TLSH:B6645C1823EC8911E27F4B7994A1E274D375ED56A452E30F4ED06CAB3E32741FA11AB2
                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. ....................... ............@................................

                                                                                                                                    File Icon

                                                                                                                                    Icon Hash:4d8ea38d85a38e6d

                                                                                                                                    Static PE Info

                                                                                                                                    General

                                                                                                                                    Entrypoint:0x42b9ae
                                                                                                                                    Entrypoint Section:.text
                                                                                                                                    Digitally signed:false
                                                                                                                                    Imagebase:0x400000
                                                                                                                                    Subsystem:windows gui
                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                    Time Stamp:0xF0DBE6BE [Sun Jan 19 04:14:54 2098 UTC]
                                                                                                                                    TLS Callbacks:
                                                                                                                                    CLR (.Net) Version:
                                                                                                                                    OS Version Major:4
                                                                                                                                    OS Version Minor:0
                                                                                                                                    File Version Major:4
                                                                                                                                    File Version Minor:0
                                                                                                                                    Subsystem Version Major:4
                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                    Entrypoint Preview

                                                                                                                                    Instruction
                                                                                                                                    jmp dword ptr [00402000h]
                                                                                                                                    popad
                                                                                                                                    add byte ptr [ebp+00h], dh
                                                                                                                                    je 00007F8CD91280B2h
                                                                                                                                    outsd
                                                                                                                                    add byte ptr [esi+00h], ah
                                                                                                                                    imul eax, dword ptr [eax], 006C006Ch
                                                                                                                                    xor eax, 59007400h
                                                                                                                                    add byte ptr [edi+00h], dl
                                                                                                                                    push edx
                                                                                                                                    add byte ptr [ecx+00h], dh
                                                                                                                                    popad
                                                                                                                                    add byte ptr [edi+00h], dl
                                                                                                                                    push esi
                                                                                                                                    add byte ptr [edi+00h], ch
                                                                                                                                    popad
                                                                                                                                    add byte ptr [ebp+00h], ch
                                                                                                                                    push 61006800h
                                                                                                                                    add byte ptr [ebp+00h], ch
                                                                                                                                    dec edx
                                                                                                                                    add byte ptr [eax], bh
                                                                                                                                    add byte ptr [edi+00h], dl
                                                                                                                                    push edi
                                                                                                                                    add byte ptr [ecx], bh
                                                                                                                                    add byte ptr [ecx+00h], bh
                                                                                                                                    bound eax, dword ptr [eax]
                                                                                                                                    xor al, byte ptr [eax]
                                                                                                                                    insb
                                                                                                                                    add byte ptr [eax+00h], bl
                                                                                                                                    pop ecx
                                                                                                                                    add byte ptr [edi+00h], dl
                                                                                                                                    js 00007F8CD91280B2h
                                                                                                                                    jnc 00007F8CD91280B2h
                                                                                                                                    pop edx
                                                                                                                                    add byte ptr [eax+00h], bl
                                                                                                                                    push ecx
                                                                                                                                    add byte ptr [ebx+00h], cl
                                                                                                                                    popad
                                                                                                                                    add byte ptr [edi+00h], dl
                                                                                                                                    dec edx
                                                                                                                                    add byte ptr [ebp+00h], dh
                                                                                                                                    pop edx
                                                                                                                                    add byte ptr [edi+00h], dl
                                                                                                                                    jo 00007F8CD91280B2h
                                                                                                                                    imul eax, dword ptr [eax], 5Ah
                                                                                                                                    add byte ptr [ebp+00h], ch
                                                                                                                                    jo 00007F8CD91280B2h
                                                                                                                                    je 00007F8CD91280B2h
                                                                                                                                    bound eax, dword ptr [eax]
                                                                                                                                    push edi
                                                                                                                                    add byte ptr [eax+eax+77h], dh
                                                                                                                                    add byte ptr [ecx+00h], bl
                                                                                                                                    xor al, byte ptr [eax]
                                                                                                                                    xor eax, 63007300h
                                                                                                                                    add byte ptr [edi+00h], al
                                                                                                                                    push esi
                                                                                                                                    add byte ptr [ecx+00h], ch
                                                                                                                                    popad
                                                                                                                                    add byte ptr [edx], dh
                                                                                                                                    add byte ptr [eax+00h], bh
                                                                                                                                    je 00007F8CD91280B2h
                                                                                                                                    bound eax, dword ptr [eax]
                                                                                                                                    insd
                                                                                                                                    add byte ptr [eax+eax+76h], dh
                                                                                                                                    add byte ptr [edx+00h], bl
                                                                                                                                    push edi
                                                                                                                                    add byte ptr [ecx], bh
                                                                                                                                    add byte ptr [eax+00h], dh
                                                                                                                                    popad
                                                                                                                                    add byte ptr [edi+00h], al
                                                                                                                                    cmp dword ptr [eax], eax
                                                                                                                                    insd
                                                                                                                                    add byte ptr [edx+00h], bl
                                                                                                                                    push edi
                                                                                                                                    add byte ptr [esi+00h], cl
                                                                                                                                    cmp byte ptr [eax], al
                                                                                                                                    push esi
                                                                                                                                    add byte ptr [eax+00h], cl
                                                                                                                                    dec edx
                                                                                                                                    add byte ptr [esi+00h], dh
                                                                                                                                    bound eax, dword ptr [eax]
                                                                                                                                    insd
                                                                                                                                    add byte ptr [eax+00h], bh
                                                                                                                                    jo 00007F8CD91280B2h
                                                                                                                                    bound eax, dword ptr [eax]
                                                                                                                                    insd
                                                                                                                                    add byte ptr [ebx+00h], dh

                                                                                                                                    Data Directories

                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x2b95c0x4f.text
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x320000x1c9d4.rsrc
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x500000xc.reloc
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x2b9400x1c.text
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                    Sections

                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                    .text0x20000x2e9940x2ec0064c48738b5efa1379746874c338807d5False0.4696168950534759data6.205450376900145IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                    .rsrc0x320000x1c9d40x1cc005b3e8f48de8a05507379330b3cf331a7False0.23725373641304348data2.6063301335912525IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                    .reloc0x500000xc0x400f921873e0b7f3fe3399366376917ef43False0.025390625data0.05390218305374581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                    Resources

                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                    RT_ICON0x321a00x3d04PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9934058898847631
                                                                                                                                    RT_ICON0x35eb40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.09013072282030049
                                                                                                                                    RT_ICON0x466ec0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.13905290505432216
                                                                                                                                    RT_ICON0x4a9240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.17033195020746889
                                                                                                                                    RT_ICON0x4cedc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.2045028142589118
                                                                                                                                    RT_ICON0x4df940x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.24645390070921985
                                                                                                                                    RT_GROUP_ICON0x4e40c0x5adata0.7666666666666667
                                                                                                                                    RT_VERSION0x4e4780x35adata0.4417249417249417
                                                                                                                                    RT_MANIFEST0x4e7e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                    Imports

                                                                                                                                    DLLImport
                                                                                                                                    mscoree.dll_CorExeMain

                                                                                                                                    Network Behavior

                                                                                                                                    Snort IDS Alerts

                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                    04/24/24-12:37:07.455958TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)263049730103.113.70.99192.168.2.4
                                                                                                                                    04/24/24-12:37:01.914552TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)497302630192.168.2.4103.113.70.99
                                                                                                                                    04/24/24-12:37:15.327587TCP2043231ET TROJAN Redline Stealer TCP CnC Activity497302630192.168.2.4103.113.70.99
                                                                                                                                    04/24/24-12:37:02.151800TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response263049730103.113.70.99192.168.2.4

                                                                                                                                    Network Port Distribution

                                                                                                                                    TCP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Apr 24, 2024 12:37:01.398340940 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:01.631057024 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:01.631164074 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:01.650737047 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:01.871571064 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:01.913109064 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:01.914551973 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:02.151799917 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:02.194331884 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:07.214179039 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:07.455957890 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:07.456020117 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:07.456037998 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:07.456058979 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:07.456080914 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:07.456130981 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:07.456182003 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:07.577792883 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:07.815779924 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:07.818810940 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:08.039944887 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:08.050066948 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:08.271164894 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:08.319303989 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:08.336206913 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:08.572482109 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:08.572700977 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:08.637754917 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:08.856308937 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:08.924999952 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:08.967190027 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:09.188458920 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:09.197655916 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:09.429872036 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:09.438688040 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:09.443717957 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:09.664910078 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:09.671735048 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:09.909013033 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:09.915076017 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:10.166022062 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:10.167377949 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:10.445138931 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:10.491200924 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:10.552880049 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:10.774729013 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:10.774878025 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:10.775161982 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:10.775270939 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:10.775676966 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:10.775763988 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:11.000143051 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.000191927 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.000288963 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.000374079 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:11.000380039 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.000447035 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.000560045 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:11.000574112 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.000674009 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:11.220614910 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.220660925 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.223798037 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.223831892 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.223874092 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.223906994 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.223957062 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.223989010 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.224020958 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.224162102 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.224265099 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:11.224277973 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.224355936 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.224389076 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.224432945 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:11.224514008 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.224592924 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.224626064 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.224678993 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.224963903 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:11.225070000 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:11.444639921 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.444704056 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.444835901 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.445070982 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.445126057 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.445400000 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.445507050 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.445666075 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.445784092 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.446074009 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.446109056 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.446244001 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.446405888 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.446589947 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.446746111 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.446986914 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.447226048 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.447321892 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.447393894 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.447559118 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.447664976 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.447932959 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.448201895 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.448429108 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.448606968 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.448941946 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:11.449124098 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:11.449651003 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.449687958 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.449723005 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.449754953 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.449997902 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.450031042 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.450104952 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.450464964 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.450498104 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.450531006 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.450647116 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.450721979 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.450886965 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.451004982 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.451266050 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.451299906 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.451416969 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.451534986 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.451735973 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.452020884 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.495908022 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.496217012 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:11.496340036 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:11.669469118 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.669646978 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.669819117 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.681204081 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.681291103 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.681359053 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.681417942 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.681571960 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.681925058 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:11.682068110 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:11.720505953 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.720618963 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.720654011 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.720690966 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.720762014 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.720797062 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.721210003 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:11.721342087 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:11.915649891 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.937412024 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.937622070 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.959275007 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.959606886 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.980916023 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:11.992012978 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.002686024 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.002880096 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.024528027 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.024888039 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:12.025051117 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:12.046503067 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.062544107 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.062725067 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.062843084 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.063015938 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.063278913 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:12.263447046 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.285171032 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.286432028 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.286551952 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.286700010 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.286988974 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.287338972 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.287636042 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.287686110 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.289081097 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.300512075 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:12.521442890 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.524600983 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:12.780419111 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:12.835118055 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:13.343799114 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:13.573414087 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:13.835144997 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:13.881963968 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:13.909461021 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:14.138145924 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:14.142054081 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:14.371022940 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:14.413059950 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:14.423692942 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:14.649069071 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:14.709943056 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:14.780488968 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:15.006397009 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:15.063117027 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:15.326379061 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:15.327586889 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:15.577974081 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                    Apr 24, 2024 12:37:15.631855011 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                    Apr 24, 2024 12:37:17.083837986 CEST497302630192.168.2.4103.113.70.99

                                                                                                                                    Statistics

                                                                                                                                    CPU Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    Memory Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    High Level Behavior Distribution

                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                    System Behavior

                                                                                                                                    General

                                                                                                                                    Target ID:0
                                                                                                                                    Start time:12:36:59
                                                                                                                                    Start date:24/04/2024
                                                                                                                                    Path:C:\Users\user\Desktop\44QHzbqD3m.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Users\user\Desktop\44QHzbqD3m.exe"
                                                                                                                                    Imagebase:0xdf0000
                                                                                                                                    File size:312'093 bytes
                                                                                                                                    MD5 hash:11AE7E8293ED1C199CDE872EE52D910D
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1635191784.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1807370130.0000000003239000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1807370130.000000000339A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    Reputation:low
                                                                                                                                    Has exited:true

                                                                                                                                    Disassembly

                                                                                                                                    Reset < >

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:11%
                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                      Signature Coverage:0%
                                                                                                                                      Total number of Nodes:86
                                                                                                                                      Total number of Limit Nodes:15
                                                                                                                                      execution_graph 41807 55dad38 41811 55dae30 41807->41811 41821 55dae20 41807->41821 41808 55dad47 41812 55dae41 41811->41812 41815 55dae64 41811->41815 41831 55d9838 41812->41831 41815->41808 41816 55dae5c 41816->41815 41817 55db068 GetModuleHandleW 41816->41817 41818 55db095 41817->41818 41818->41808 41822 55dae41 41821->41822 41826 55dae64 41821->41826 41823 55d9838 GetModuleHandleW 41822->41823 41824 55dae4c 41823->41824 41824->41826 41829 55db0c8 2 API calls 41824->41829 41830 55db0b8 2 API calls 41824->41830 41825 55dae5c 41825->41826 41827 55db068 GetModuleHandleW 41825->41827 41826->41808 41828 55db095 41827->41828 41828->41808 41829->41825 41830->41825 41832 55db020 GetModuleHandleW 41831->41832 41834 55dae4c 41832->41834 41834->41815 41835 55db0b8 41834->41835 41840 55db0c8 41834->41840 41836 55d9838 GetModuleHandleW 41835->41836 41837 55db0dc 41835->41837 41836->41837 41839 55db101 41837->41839 41845 55da870 41837->41845 41839->41816 41841 55d9838 GetModuleHandleW 41840->41841 41842 55db0dc 41841->41842 41843 55da870 LoadLibraryExW 41842->41843 41844 55db101 41842->41844 41843->41844 41844->41816 41846 55db2a8 LoadLibraryExW 41845->41846 41848 55db321 41846->41848 41848->41839 41849 55dd0b8 41850 55dd0fe 41849->41850 41854 55dd289 41850->41854 41857 55dd298 41850->41857 41851 55dd1eb 41855 55dd2c6 41854->41855 41860 55dc9a0 41854->41860 41855->41851 41858 55dc9a0 DuplicateHandle 41857->41858 41859 55dd2c6 41858->41859 41859->41851 41861 55dd300 DuplicateHandle 41860->41861 41862 55dd396 41861->41862 41862->41855 41896 55d4668 41897 55d4684 41896->41897 41898 55d4696 41897->41898 41900 55d47a0 41897->41900 41901 55d47c5 41900->41901 41905 55d48b0 41901->41905 41909 55d48a1 41901->41909 41907 55d48d7 41905->41907 41906 55d49b4 41906->41906 41907->41906 41913 55d4248 41907->41913 41910 55d48d7 41909->41910 41911 55d49b4 41910->41911 41912 55d4248 CreateActCtxA 41910->41912 41911->41911 41912->41911 41914 55d5940 CreateActCtxA 41913->41914 41916 55d5a03 41914->41916 41916->41916 41863 7e17788 41864 7e177af 41863->41864 41865 7e17835 41864->41865 41872 7e18d31 41864->41872 41876 7e1a13a 41864->41876 41880 7e197db 41864->41880 41884 7e18d38 41864->41884 41888 7e1a219 41864->41888 41892 7e19a86 41864->41892 41875 7e18d38 41872->41875 41873 7e1a203 41873->41873 41874 7e196b6 LdrInitializeThunk 41874->41875 41875->41873 41875->41874 41879 7e18e98 41876->41879 41877 7e1a203 41877->41877 41878 7e196b6 LdrInitializeThunk 41878->41879 41879->41877 41879->41878 41882 7e18e98 41880->41882 41881 7e1a203 41881->41881 41882->41881 41883 7e196b6 LdrInitializeThunk 41882->41883 41883->41882 41887 7e18d65 41884->41887 41885 7e1a203 41885->41885 41886 7e196b6 LdrInitializeThunk 41886->41887 41887->41885 41887->41886 41889 7e1a203 41888->41889 41891 7e18e98 41888->41891 41890 7e196b6 LdrInitializeThunk 41890->41891 41891->41889 41891->41890 41894 7e18e98 41892->41894 41893 7e1a203 41893->41893 41894->41893 41895 7e196b6 LdrInitializeThunk 41894->41895 41895->41894

                                                                                                                                      Executed Functions

                                                                                                                                      Function 07E1CC28 Relevance: 6.6, Strings: 5, Instructions: 390COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 606 7e1cc28-7e1cc69 608 7e1cc75-7e1cc79 606->608 609 7e1cc6b-7e1cc73 606->609 610 7e1cc7e-7e1cc83 608->610 609->610 611 7e1cc85-7e1cc8a 610->611 612 7e1cc8c-7e1cc95 610->612 613 7e1cc98-7e1cc9a 611->613 612->613 614 7e1cca0-7e1ccb9 call 7e1caa0 613->614 615 7e1d006-7e1d030 613->615 619 7e1cd07-7e1cd0e 614->619 620 7e1ccbb-7e1cccb 614->620 640 7e1d037-7e1d077 615->640 624 7e1cd10 619->624 625 7e1cd13-7e1cd23 619->625 621 7e1ccd1-7e1cce9 620->621 622 7e1cf9e-7e1cfbb 620->622 626 7e1cfc4-7e1cfcd 621->626 627 7e1ccef-7e1ccf6 621->627 622->626 624->625 628 7e1cd33-7e1cd50 625->628 629 7e1cd25-7e1cd31 625->629 630 7e1cfd5-7e1cfff 626->630 627->630 631 7e1ccfc-7e1cd06 627->631 633 7e1cd54-7e1cd60 628->633 629->633 630->615 634 7e1cd62-7e1cd64 633->634 635 7e1cd66 633->635 638 7e1cd69-7e1cd6b 634->638 635->638 639 7e1cd71-7e1cd86 638->639 638->640 642 7e1cd96-7e1cdb3 639->642 643 7e1cd88-7e1cd94 639->643 671 7e1d07e-7e1d0be 640->671 644 7e1cdb7-7e1cdc3 642->644 643->644 646 7e1cdc5-7e1cdca 644->646 647 7e1cdcc-7e1cdd5 644->647 649 7e1cdd8-7e1cdda 646->649 647->649 651 7e1cde0 649->651 652 7e1ce62-7e1ce66 649->652 707 7e1cde2 call 7e1d120 651->707 708 7e1cde2 call 7e1d188 651->708 654 7e1ce68-7e1ce86 652->654 655 7e1ce9a-7e1ceb2 call 7e1c968 652->655 654->655 668 7e1ce88-7e1ce95 call 7e1caa0 654->668 675 7e1ceb7-7e1cee1 call 7e1caa0 655->675 657 7e1cde8-7e1ce08 call 7e1caa0 665 7e1ce18-7e1ce35 657->665 666 7e1ce0a-7e1ce16 657->666 669 7e1ce39-7e1ce45 665->669 666->669 668->620 673 7e1ce47-7e1ce4c 669->673 674 7e1ce4e-7e1ce57 669->674 696 7e1d0c5-7e1d11a 671->696 677 7e1ce5a-7e1ce5c 673->677 674->677 683 7e1cef1-7e1cf0e 675->683 684 7e1cee3-7e1ceef 675->684 677->652 677->671 685 7e1cf12-7e1cf1e 683->685 684->685 687 7e1cf20-7e1cf22 685->687 688 7e1cf24 685->688 689 7e1cf27-7e1cf29 687->689 688->689 689->620 691 7e1cf2f-7e1cf3f 689->691 692 7e1cf41-7e1cf4d 691->692 693 7e1cf4f-7e1cf6c 691->693 695 7e1cf70-7e1cf7c 692->695 693->695 697 7e1cf85-7e1cf8e 695->697 698 7e1cf7e-7e1cf83 695->698 699 7e1cf91-7e1cf93 697->699 698->699 699->696 700 7e1cf99 699->700 700->614 707->657 708->657
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1819310481.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7e10000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: Hhq$Hhq$Hhq$Hhq$Hhq
                                                                                                                                      • API String ID: 0-1427472961
                                                                                                                                      • Opcode ID: 52fcc0e8888749f2bc2a86ea5a94ea3fd7a2d8fb6ab0454044c9c97777144ceb
                                                                                                                                      • Instruction ID: fafa711eabd8f2a61aedbf8bb46c92e8a0f5f184c790c73621d7ebeca1e4607d
                                                                                                                                      • Opcode Fuzzy Hash: 52fcc0e8888749f2bc2a86ea5a94ea3fd7a2d8fb6ab0454044c9c97777144ceb
                                                                                                                                      • Instruction Fuzzy Hash: 19F1C1B1E51256CBCB15CF74C5512BDFBF2BF85300F248669D406EB251EB389A85CBA0
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 07E18D38 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1088COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 709 7e18d38-7e18d63 710 7e18d65 709->710 711 7e18d6a-7e18e06 709->711 710->711 714 7e18e58-7e18e93 711->714 715 7e18e08-7e18e52 711->715 720 7e1a1e4-7e1a1fd 714->720 715->714 723 7e1a203-7e1a229 720->723 724 7e18e98-7e18fee 720->724 727 7e1a238 723->727 728 7e1a22b-7e1a237 723->728 962 7e18ff4 call 7e1a2e0 724->962 963 7e18ff4 call 7e1a2dd 724->963 729 7e1a239 727->729 728->727 729->729 740 7e18ffa-7e19028 742 7e1a19c-7e1a1b6 740->742 744 7e1902d-7e19171 742->744 745 7e1a1bc-7e1a1e0 742->745 761 7e19173-7e1919f 744->761 762 7e191a4-7e191eb 744->762 745->720 765 7e19233-7e193eb 761->765 767 7e19211-7e19220 762->767 768 7e191ed-7e1920f 762->768 790 7e1943d-7e19448 765->790 791 7e193ed-7e19437 765->791 774 7e19226-7e19232 767->774 768->774 774->765 960 7e1944e call 7e1ae08 790->960 961 7e1944e call 7e1ae18 790->961 791->790 793 7e19454-7e194b8 798 7e1950a-7e19515 793->798 799 7e194ba-7e19504 793->799 948 7e1951b call 7e1ae08 798->948 949 7e1951b call 7e1ae18 798->949 799->798 800 7e19521-7e19584 806 7e195d6-7e195e1 800->806 807 7e19586-7e195d0 800->807 956 7e195e7 call 7e1ae08 806->956 957 7e195e7 call 7e1ae18 806->957 807->806 808 7e195ed-7e19626 812 7e1962c-7e1968f 808->812 813 7e19a9f-7e19b26 808->813 821 7e19691 812->821 822 7e19696-7e196e8 LdrInitializeThunk call 7e18aac 812->822 825 7e19b84-7e19b8f 813->825 826 7e19b28-7e19b7e 813->826 821->822 832 7e196ed-7e19815 call 7e17c98 call 7e18718 call 7e15c3c call 7e15c4c 822->832 958 7e19b95 call 7e1ae08 825->958 959 7e19b95 call 7e1ae18 825->959 826->825 829 7e19b9b-7e19c28 842 7e19c86-7e19c91 829->842 843 7e19c2a-7e19c80 829->843 866 7e19a82-7e19a9e 832->866 867 7e1981b-7e1986d 832->867 954 7e19c97 call 7e1ae08 842->954 955 7e19c97 call 7e1ae18 842->955 843->842 847 7e19c9d-7e19d15 858 7e19d73-7e19d7e 847->858 859 7e19d17-7e19d6d 847->859 952 7e19d84 call 7e1ae08 858->952 953 7e19d84 call 7e1ae18 858->953 859->858 863 7e19d8a-7e19df6 875 7e19e48-7e19e53 863->875 876 7e19df8-7e19e42 863->876 866->813 877 7e198bf-7e1993a 867->877 878 7e1986f-7e198b9 867->878 950 7e19e59 call 7e1ae08 875->950 951 7e19e59 call 7e1ae18 875->951 876->875 891 7e1998c-7e19a06 877->891 892 7e1993c-7e19986 877->892 878->877 882 7e19e5f-7e19e86 890 7e19e90-7e19ea4 882->890 893 7e19fda-7e1a183 890->893 894 7e19eaa-7e19fd9 890->894 908 7e19a58-7e19a81 891->908 909 7e19a08-7e19a52 891->909 892->891 945 7e1a185-7e1a19a 893->945 946 7e1a19b 893->946 894->893 908->866 909->908 945->946 946->742 948->800 949->800 950->882 951->882 952->863 953->863 954->847 955->847 956->808 957->808 958->829 959->829 960->793 961->793 962->740 963->740
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1819310481.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7e10000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: +,
                                                                                                                                      • API String ID: 0-2694382870
                                                                                                                                      • Opcode ID: 65c4aaf721a826db4f5a2256ff3270c164bfc3eab8f10259f33849d6fc397980
                                                                                                                                      • Instruction ID: b55ccf8ab703d83f63b4b4f36b2d03ad814c513ecc67b741428c3b3ed582b95f
                                                                                                                                      • Opcode Fuzzy Hash: 65c4aaf721a826db4f5a2256ff3270c164bfc3eab8f10259f33849d6fc397980
                                                                                                                                      • Instruction Fuzzy Hash: E0C28DB4A022299FCB64DF25D998B9DBBB2FB89301F1085E9D40DA7254DB346EC5CF40
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 07E1AF90 Relevance: 2.9, Strings: 2, Instructions: 364COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 1114 7e1af90-7e1afc2 1115 7e1afc4 1114->1115 1116 7e1afc9-7e1b095 1114->1116 1115->1116 1121 7e1b097-7e1b0a5 1116->1121 1122 7e1b0aa 1116->1122 1123 7e1b558-7e1b565 1121->1123 1185 7e1b0b0 call 7e1b8f7 1122->1185 1186 7e1b0b0 call 7e1b9d6 1122->1186 1187 7e1b0b0 call 7e1b946 1122->1187 1188 7e1b0b0 call 7e1b848 1122->1188 1124 7e1b0b6-7e1b166 1132 7e1b4e7-7e1b511 1124->1132 1134 7e1b517-7e1b556 1132->1134 1135 7e1b16b-7e1b381 1132->1135 1134->1123 1162 7e1b38d-7e1b3d7 1135->1162 1165 7e1b3d9 1162->1165 1166 7e1b3df-7e1b3e1 1162->1166 1167 7e1b3e3 1165->1167 1168 7e1b3db-7e1b3dd 1165->1168 1169 7e1b3e8-7e1b3ef 1166->1169 1167->1169 1168->1166 1168->1167 1170 7e1b3f1-7e1b468 1169->1170 1171 7e1b469-7e1b48f 1169->1171 1170->1171 1173 7e1b491-7e1b49a 1171->1173 1174 7e1b49c-7e1b4a8 1171->1174 1176 7e1b4ae-7e1b4cd 1173->1176 1174->1176 1180 7e1b4e3-7e1b4e4 1176->1180 1181 7e1b4cf-7e1b4e2 1176->1181 1180->1132 1181->1180 1185->1124 1186->1124 1187->1124 1188->1124
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1819310481.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7e10000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: .$1
                                                                                                                                      • API String ID: 0-1839485796
                                                                                                                                      • Opcode ID: 6ed8b3caebe632d7490e53201d620d150d956eac5dbcdc7d8830cfd864b37583
                                                                                                                                      • Instruction ID: 133a69451b1d4e9b2daeb43589470c9189542d27d7e3ca72137de5293fda1913
                                                                                                                                      • Opcode Fuzzy Hash: 6ed8b3caebe632d7490e53201d620d150d956eac5dbcdc7d8830cfd864b37583
                                                                                                                                      • Instruction Fuzzy Hash: 50F1CFB4E01229CFDB28DF65D995BDDBBB2FF8A301F1091AAD409A7250DB355A81CF10
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 07E16F90 Relevance: 2.7, Strings: 2, Instructions: 219COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 1189 7e16f90-7e16fb1 1190 7e16fb3 1189->1190 1191 7e16fb8-7e17022 1189->1191 1190->1191 1196 7e1702a-7e17077 1191->1196 1200 7e172af-7e172c3 1196->1200 1202 7e172c9-7e172ed 1200->1202 1203 7e1707c-7e17166 1200->1203 1208 7e172ee 1202->1208 1218 7e17243-7e17253 1203->1218 1208->1208 1220 7e17259-7e17283 1218->1220 1221 7e1716b-7e17181 1218->1221 1228 7e17285-7e1728e 1220->1228 1229 7e1728f 1220->1229 1225 7e17183-7e1718f 1221->1225 1226 7e171ab 1221->1226 1230 7e17191-7e17197 1225->1230 1231 7e17199-7e1719f 1225->1231 1227 7e171b1-7e17216 1226->1227 1238 7e17218-7e1722e 1227->1238 1239 7e1722f-7e17242 1227->1239 1228->1229 1229->1200 1232 7e171a9 1230->1232 1231->1232 1232->1227 1238->1239 1239->1218
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1819310481.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7e10000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: LRdq$PHdq
                                                                                                                                      • API String ID: 0-3514635139
                                                                                                                                      • Opcode ID: 1f94db5bae3454d39e36a944d8b94758e65902ce323dc4764debd532305e2d5f
                                                                                                                                      • Instruction ID: d52a318a5dbc9c824a0e340b7f6aca3c6191335b86c40f9b8e9cca3700d83313
                                                                                                                                      • Opcode Fuzzy Hash: 1f94db5bae3454d39e36a944d8b94758e65902ce323dc4764debd532305e2d5f
                                                                                                                                      • Instruction Fuzzy Hash: 8EA1D3B4E01319CFDB24DFA5C955B9EBBB2BF89300F1091A9D409AB3A4DB305986CF51
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 07E168E8 Relevance: 2.7, Strings: 2, Instructions: 203COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 1242 7e168e8-7e16908 1243 7e1690a 1242->1243 1244 7e1690f-7e16996 1242->1244 1243->1244 1248 7e16998-7e169b7 1244->1248 1249 7e169ba-7e169d3 1244->1249 1248->1249 1252 7e16b57-7e16b6d 1249->1252 1253 7e16b73-7e16b97 1252->1253 1254 7e169d8-7e169fe 1252->1254 1259 7e16a00 1254->1259 1260 7e16a05-7e16a35 1254->1260 1259->1260 1263 7e16a37-7e16a40 1260->1263 1264 7e16a56 1260->1264 1265 7e16a42-7e16a45 1263->1265 1266 7e16a47-7e16a4a 1263->1266 1267 7e16a59-7e16ae6 1264->1267 1268 7e16a54 1265->1268 1266->1268 1276 7e16b33-7e16b44 1267->1276 1277 7e16ae8-7e16afc 1267->1277 1268->1267 1280 7e16b45-7e16b54 1276->1280 1281 7e16b05-7e16b31 1277->1281 1280->1252 1281->1280
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1819310481.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7e10000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: $dq$$dq
                                                                                                                                      • API String ID: 0-2340669324
                                                                                                                                      • Opcode ID: d98a0c2c2e6732811f79b63180b02cd63026af68bd4293833f7459d46aeec039
                                                                                                                                      • Instruction ID: 890f9c2231040c9fd92721042b77715cd445816cd2b417352a9215a3ae9db145
                                                                                                                                      • Opcode Fuzzy Hash: d98a0c2c2e6732811f79b63180b02cd63026af68bd4293833f7459d46aeec039
                                                                                                                                      • Instruction Fuzzy Hash: B791D2B4E01218DFDB14DFA9D584A9DBBF2FF89305F209469E419AB350DB359982CF10
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 07E17930 Relevance: 2.7, Strings: 2, Instructions: 190COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 1285 7e17930-7e17951 1286 7e17953 1285->1286 1287 7e17958-7e179a0 1285->1287 1286->1287 1326 7e179a2 call 7e17c91 1287->1326 1327 7e179a2 call 7e183e8 1287->1327 1328 7e179a2 call 7e17c98 1287->1328 1288 7e179a8-7e179b7 call 7e168e8 1290 7e179bc-7e179ec 1288->1290 1291 7e17a3e-7e17a7c 1290->1291 1292 7e179ee-7e17a38 1290->1292 1297 7e17bf5-7e17c09 1291->1297 1292->1291 1300 7e17a81-7e17b05 1297->1300 1301 7e17c0f-7e17c33 1297->1301 1310 7e17b07-7e17b08 1300->1310 1311 7e17b0d-7e17b52 1300->1311 1310->1297 1315 7e17be1-7e17bf4 1311->1315 1316 7e17b58-7e17be0 call 7e15c3c call 7e15c4c 1311->1316 1315->1297 1316->1315 1326->1288 1327->1288 1328->1288
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1819310481.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7e10000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: #+$[+
                                                                                                                                      • API String ID: 0-3892461662
                                                                                                                                      • Opcode ID: 283c15b016553eebfdfe31fe55482fcd14422f5f20a7be8a9f3529ff6352c57d
                                                                                                                                      • Instruction ID: 802e998fb2bff7b647038aa4a1016dfa653e72be0fd3876096e1105eb892b8ae
                                                                                                                                      • Opcode Fuzzy Hash: 283c15b016553eebfdfe31fe55482fcd14422f5f20a7be8a9f3529ff6352c57d
                                                                                                                                      • Instruction Fuzzy Hash: 0891F4B0D01229CFDB64DFA9C985BDDBBB2BF99300F1095A9D409AB254DB346E85CF40
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 07E1DD78 Relevance: .8, Instructions: 814COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1819310481.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7e10000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f24c01a72b90c459d2cebe30ec8daaaef036cdaf7ac475670e6a932157b35aa0
                                                                                                                                      • Instruction ID: 37d71f799f96d8c1d0be04fe631bd6926b375dc055f2419d07aeb3bf87fa1fd8
                                                                                                                                      • Opcode Fuzzy Hash: f24c01a72b90c459d2cebe30ec8daaaef036cdaf7ac475670e6a932157b35aa0
                                                                                                                                      • Instruction Fuzzy Hash: 5C8256F4600216CFDB24CF38D949B6977B5BF48209F1481E8E9099B7A5EB349C85CF91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 07E17C98 Relevance: .4, Instructions: 426COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1819310481.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7e10000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 1396bc37009ffb538982534682f204f0ba8c3f604e5772452a2a2a85c9894868
                                                                                                                                      • Instruction ID: c01a1b9e28b93c8111b10c4a58bd2c544d8408f81388ae2337e8197064bfeac7
                                                                                                                                      • Opcode Fuzzy Hash: 1396bc37009ffb538982534682f204f0ba8c3f604e5772452a2a2a85c9894868
                                                                                                                                      • Instruction Fuzzy Hash: 06227DB4D012298FDB65DF69C991BD9B7B2BF89304F1091EAD449AB250EB305EC5CF80
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A367D8 Relevance: .4, Instructions: 424COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 047ab65fda7a3e4411f22dbb6fc32d886d03969b4934073dc9b722e9f64b6e4e
                                                                                                                                      • Instruction ID: 199218dbc5bdd4064be588a31290e97ef1661d1ee18f2596829757c0441a2a6d
                                                                                                                                      • Opcode Fuzzy Hash: 047ab65fda7a3e4411f22dbb6fc32d886d03969b4934073dc9b722e9f64b6e4e
                                                                                                                                      • Instruction Fuzzy Hash: EAF16D70A01325AFCB55DFA8D844A9EBBF2EF89300F158569F5099F2A1DB30E945CB90
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3A3D8 Relevance: .3, Instructions: 297COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 82cb3c266c95e38d923f6124f1df8762215581939cbe29526c57c184fb434c3d
                                                                                                                                      • Instruction ID: 5a9e88e951465571aef69ed5215d6732bfd2fab9f42c25f9f8c6ef210f69686d
                                                                                                                                      • Opcode Fuzzy Hash: 82cb3c266c95e38d923f6124f1df8762215581939cbe29526c57c184fb434c3d
                                                                                                                                      • Instruction Fuzzy Hash: E5D1F770D01318CFCB54EFB5D854A9DBBB2FF8A301F1085A9D90AAB294DB356986CF11
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3A3E8 Relevance: .3, Instructions: 289COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 35764568b7db7fcde792b6414175df43359d30eee2f6cbf2adcf2a4b03ce4ce7
                                                                                                                                      • Instruction ID: dc38d249e98838d45ea5560b71d20f2b25add11c791067a5be7a283db81cc715
                                                                                                                                      • Opcode Fuzzy Hash: 35764568b7db7fcde792b6414175df43359d30eee2f6cbf2adcf2a4b03ce4ce7
                                                                                                                                      • Instruction Fuzzy Hash: B0D10730D01318CFCB54EFB5D854A9DBBB2FF8A301F2085A9D90AAB294DB356885CF11
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 07E1A2E0 Relevance: .3, Instructions: 271COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1819310481.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7e10000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 59bc593095f787666f14163e7e8f9cbf5f14356cead5ce560b39c1ae975c4338
                                                                                                                                      • Instruction ID: d1e5c0f9e1beeeb3fef8e1e2ea071736b351c903ed38bf345b6b4be8f413130f
                                                                                                                                      • Opcode Fuzzy Hash: 59bc593095f787666f14163e7e8f9cbf5f14356cead5ce560b39c1ae975c4338
                                                                                                                                      • Instruction Fuzzy Hash: D1C1B6B0D012298BDB64DF69C951BEEBBB2BF89300F10D1E9C409BB294DB755A85CF50
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A20D80 Relevance: 20.6, Strings: 16, Instructions: 619COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 304 6a20d80-6a20dcb 309 6a20dd1-6a20dd3 304->309 310 6a20efd-6a20f10 304->310 311 6a20dd6-6a20de5 309->311 314 6a21006-6a21011 310->314 315 6a20f16-6a20f25 310->315 316 6a20deb-6a20e1d 311->316 317 6a20e9d-6a20ea1 311->317 319 6a21019-6a21022 314->319 324 6a20fd1-6a20fd5 315->324 325 6a20f2b-6a20f51 315->325 352 6a20e26-6a20e2d 316->352 353 6a20e1f-6a20e24 316->353 320 6a20ea3-6a20eae 317->320 321 6a20eb0 317->321 322 6a20eb5-6a20eb8 320->322 321->322 322->319 326 6a20ebe-6a20ec2 322->326 327 6a20fd7-6a20fe2 324->327 328 6a20fe4 324->328 354 6a20f53-6a20f58 325->354 355 6a20f5a-6a20f61 325->355 330 6a20ed1 326->330 331 6a20ec4-6a20ecf 326->331 333 6a20fe6-6a20fe8 327->333 328->333 338 6a20ed3-6a20ed5 330->338 331->338 336 6a20fea-6a20ff4 333->336 337 6a21039-6a210b5 333->337 347 6a20ff7-6a21000 336->347 386 6a210bb-6a210bd 337->386 387 6a21189-6a2119c 337->387 342 6a21025-6a21032 338->342 343 6a20edb-6a20ee5 338->343 342->337 356 6a20ee8-6a20ef2 343->356 347->314 347->315 358 6a20e52-6a20e76 352->358 359 6a20e2f-6a20e50 352->359 357 6a20e91-6a20e9b 353->357 360 6a20fc5-6a20fcf 354->360 361 6a20f63-6a20f84 355->361 362 6a20f86-6a20faa 355->362 356->311 363 6a20ef8 356->363 357->356 376 6a20e78-6a20e7e 358->376 377 6a20e8e 358->377 359->357 360->347 361->360 378 6a20fc2 362->378 379 6a20fac-6a20fb2 362->379 363->319 381 6a20e82-6a20e84 376->381 382 6a20e80 376->382 377->357 378->360 383 6a20fb6-6a20fb8 379->383 384 6a20fb4 379->384 381->377 382->377 383->378 384->378 388 6a210c0-6a210cf 386->388 390 6a211a2-6a211b1 387->390 391 6a21234-6a2123f 387->391 393 6a210d1-6a210dd 388->393 394 6a21129-6a2112d 388->394 401 6a211b3-6a211dc 390->401 402 6a211ff-6a21203 390->402 396 6a21247-6a21250 391->396 407 6a210e7-6a210fe 393->407 397 6a2112f-6a2113a 394->397 398 6a2113c 394->398 400 6a21141-6a21144 397->400 398->400 400->396 406 6a2114a-6a2114e 400->406 425 6a211f4-6a211fd 401->425 426 6a211de-6a211e4 401->426 404 6a21212 402->404 405 6a21205-6a21210 402->405 410 6a21214-6a21216 404->410 405->410 408 6a21150-6a2115b 406->408 409 6a2115d 406->409 416 6a21104-6a21106 407->416 415 6a2115f-6a21161 408->415 409->415 413 6a21267-6a21292 410->413 414 6a21218-6a21222 410->414 438 6a21294 413->438 439 6a2129a-6a212af 413->439 429 6a21225-6a2122e 414->429 419 6a21253-6a21260 415->419 420 6a21167-6a21171 415->420 422 6a21108-6a2110e 416->422 423 6a2111e-6a21127 416->423 419->413 436 6a21174-6a2117e 420->436 427 6a21112-6a21114 422->427 428 6a21110 422->428 423->436 425->429 430 6a211e6 426->430 431 6a211e8-6a211ea 426->431 427->423 428->423 429->390 429->391 430->425 431->425 436->388 440 6a21184 436->440 441 6a21296-6a21299 438->441 442 6a212c4-6a212c5 438->442 443 6a212c7-6a212e9 439->443 445 6a212b1-6a212b7 439->445 440->396 441->439 442->443 450 6a212ec-6a212f0 443->450 447 6a212bb-6a212bd 445->447 448 6a212b9 445->448 447->442 448->443 451 6a212f2-6a212f7 450->451 452 6a212f9-6a212fe 450->452 453 6a21304-6a21307 451->453 452->453 454 6a214f8-6a21500 453->454 455 6a2130d-6a21322 453->455 455->450 457 6a21324 455->457 458 6a213e0-6a21405 457->458 459 6a2132b-6a21350 457->459 460 6a21498 457->460 470 6a21407-6a21409 458->470 471 6a2140b-6a2140f 458->471 472 6a21352-6a21354 459->472 473 6a21356-6a2135a 459->473 462 6a214a2-6a214b9 460->462 465 6a214bf-6a214f3 462->465 465->450 475 6a2146d-6a21493 470->475 476 6a21430-6a21453 471->476 477 6a21411-6a2142e 471->477 478 6a213b8-6a213db 472->478 479 6a2137b-6a2139e 473->479 480 6a2135c-6a21379 473->480 475->450 496 6a21455-6a2145b 476->496 497 6a2146b 476->497 477->475 478->450 494 6a213a0-6a213a6 479->494 495 6a213b6 479->495 480->478 498 6a213aa-6a213ac 494->498 499 6a213a8 494->499 495->478 500 6a2145f-6a21461 496->500 501 6a2145d 496->501 497->475 498->495 499->495 500->497 501->497
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814038588.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a20000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
                                                                                                                                      • API String ID: 0-256639137
                                                                                                                                      • Opcode ID: 2289146663c87799ffc310f91b27577d49061f80ac04f15a42d4bd258c477212
                                                                                                                                      • Instruction ID: ea284f44ce062fee66d317c2c013cb7c63592a1d73569bd2e0f78af5b957e684
                                                                                                                                      • Opcode Fuzzy Hash: 2289146663c87799ffc310f91b27577d49061f80ac04f15a42d4bd258c477212
                                                                                                                                      • Instruction Fuzzy Hash: F0329170B402169FDB54DB69D944A6ABBF7FF89300B258469E906CB3A2CF34DC41CB91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A21577 Relevance: 7.8, Strings: 6, Instructions: 342COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 502 6a21577-6a21578 503 6a2157a-6a21580 502->503 504 6a21582-6a2158e 503->504 505 6a215f3-6a215f7 503->505 513 6a21598-6a215af 504->513 506 6a21606 505->506 507 6a215f9-6a21604 505->507 508 6a2160b-6a2160e 506->508 507->508 511 6a21610-6a21614 508->511 512 6a21645-6a21747 508->512 514 6a21623 511->514 515 6a21616-6a21621 511->515 518 6a215b5-6a215b7 513->518 516 6a21625-6a21627 514->516 515->516 520 6a2174a-6a217a7 516->520 521 6a2162d-6a21637 516->521 523 6a215b9-6a215bf 518->523 524 6a215cf-6a215f1 518->524 538 6a217a9-6a217af 520->538 539 6a217bf-6a217e1 520->539 531 6a21638-6a2163f 521->531 526 6a215c3-6a215c5 523->526 527 6a215c1 523->527 524->531 526->524 527->524 531->512 533 6a21571-6a21576 531->533 533->502 540 6a217b3-6a217b5 538->540 541 6a217b1 538->541 544 6a217e4-6a217e8 539->544 540->539 541->539 545 6a217f1-6a217f6 544->545 546 6a217ea-6a217ef 544->546 547 6a217fc-6a217ff 545->547 546->547 548 6a21805-6a2181a 547->548 549 6a21abf-6a21ac7 547->549 548->544 551 6a2181c 548->551 552 6a21823-6a218d3 551->552 553 6a21990-6a219bd 551->553 554 6a21a07-6a21a2c 551->554 555 6a218d8-6a2198b 551->555 552->544 573 6a219c3-6a219cd 553->573 574 6a21b36-6a21b77 553->574 569 6a21a32-6a21a36 554->569 570 6a21a2e-6a21a30 554->570 555->544 576 6a21a57-6a21a7a 569->576 577 6a21a38-6a21a55 569->577 575 6a21a94-6a21aba 570->575 580 6a219d3-6a21a02 573->580 581 6a21b00-6a21b2f 573->581 575->544 598 6a21a92 576->598 599 6a21a7c-6a21a82 576->599 577->575 580->544 581->574 598->575 601 6a21a86-6a21a88 599->601 602 6a21a84 599->602 601->598 602->598
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814038588.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a20000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: $dq$$dq$$dq$$dq$$dq$$dq
                                                                                                                                      • API String ID: 0-2331353128
                                                                                                                                      • Opcode ID: b80fe672b15fd51a0406bcc4d83b8078e7dbf4e42556be08d6d709b84e0fe7bb
                                                                                                                                      • Instruction ID: 51df8d81338c42ca33adc739cb34bff853e1b454427cf1f5d9b36dc78b774076
                                                                                                                                      • Opcode Fuzzy Hash: b80fe672b15fd51a0406bcc4d83b8078e7dbf4e42556be08d6d709b84e0fe7bb
                                                                                                                                      • Instruction Fuzzy Hash: 34C1D5707402529FDB549BA8C454A3F7BF6FF89304B244469EA068B392DF75DC06C791
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 055DAE30 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 1425 55dae30-55dae3f 1426 55dae6b-55dae6f 1425->1426 1427 55dae41-55dae4e call 55d9838 1425->1427 1428 55dae71-55dae7b 1426->1428 1429 55dae83-55daec4 1426->1429 1434 55dae64 1427->1434 1435 55dae50 1427->1435 1428->1429 1436 55daec6-55daece 1429->1436 1437 55daed1-55daedf 1429->1437 1434->1426 1482 55dae56 call 55db0c8 1435->1482 1483 55dae56 call 55db0b8 1435->1483 1436->1437 1438 55daee1-55daee6 1437->1438 1439 55daf03-55daf05 1437->1439 1442 55daee8-55daeef call 55da814 1438->1442 1443 55daef1 1438->1443 1441 55daf08-55daf0f 1439->1441 1440 55dae5c-55dae5e 1440->1434 1444 55dafa0-55dafb7 1440->1444 1445 55daf1c-55daf23 1441->1445 1446 55daf11-55daf19 1441->1446 1448 55daef3-55daf01 1442->1448 1443->1448 1458 55dafb9-55db018 1444->1458 1449 55daf25-55daf2d 1445->1449 1450 55daf30-55daf39 call 55da824 1445->1450 1446->1445 1448->1441 1449->1450 1456 55daf3b-55daf43 1450->1456 1457 55daf46-55daf4b 1450->1457 1456->1457 1459 55daf4d-55daf54 1457->1459 1460 55daf69-55daf76 1457->1460 1476 55db01a-55db060 1458->1476 1459->1460 1461 55daf56-55daf66 call 55da834 call 55da844 1459->1461 1465 55daf99-55daf9f 1460->1465 1466 55daf78-55daf96 1460->1466 1461->1460 1466->1465 1477 55db068-55db093 GetModuleHandleW 1476->1477 1478 55db062-55db065 1476->1478 1479 55db09c-55db0b0 1477->1479 1480 55db095-55db09b 1477->1480 1478->1477 1480->1479 1482->1440 1483->1440
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1812091456.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_55d0000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HandleModule
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                      • Opcode ID: 49434c15ac6ef720d41d1d9b466c578ff4054cd82a0666034c1e4eefc649f89d
                                                                                                                                      • Instruction ID: d3c509aced9257daaf2c7d84676f0e117f8df7c28d2822f62774cebca8aba043
                                                                                                                                      • Opcode Fuzzy Hash: 49434c15ac6ef720d41d1d9b466c578ff4054cd82a0666034c1e4eefc649f89d
                                                                                                                                      • Instruction Fuzzy Hash: F67103B5A00B068FD724DF69D14575BFBF2FB88200F00892DD48AD7A50DB75E945CBA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A33F50 Relevance: 1.6, Strings: 1, Instructions: 397COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: $dq
                                                                                                                                      • API String ID: 0-847773763
                                                                                                                                      • Opcode ID: c6301130a2217d4cdf18eae128fb30b8b64e0933a1c4370d7e9852fb3ff5d0e4
                                                                                                                                      • Instruction ID: ec656ce2bc68fd60acd8c7a3522c8cc68aea80acb55fd5cdb7ef8a44c6eecd4e
                                                                                                                                      • Opcode Fuzzy Hash: c6301130a2217d4cdf18eae128fb30b8b64e0933a1c4370d7e9852fb3ff5d0e4
                                                                                                                                      • Instruction Fuzzy Hash: 92E12C74F006158FCB54EF69C5949AEBBF6FF88600B158169E906EB365DB31DC01CBA0
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 055D4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 055D59F1
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1812091456.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_55d0000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Create
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                      • Opcode ID: 9e11c2de8d253cab268c489bad3c9b5dcaa4b01cf17f087ebc74c78fe20cf536
                                                                                                                                      • Instruction ID: 0fa7e26c5e7b096d74619f57eece9830d38cdea0074ab69f52d495b571fea7da
                                                                                                                                      • Opcode Fuzzy Hash: 9e11c2de8d253cab268c489bad3c9b5dcaa4b01cf17f087ebc74c78fe20cf536
                                                                                                                                      • Instruction Fuzzy Hash: 8841DFB1C0072DCADB24DFA9C884B9DBBF5FF49314F20806AD409AB251DB756945CFA0
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 055D5935 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 055D59F1
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1812091456.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_55d0000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Create
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                      • Opcode ID: 9a244bd4681ba5175653bc367837f7f03244ebaa8fd003e23f18cbd57ef27d84
                                                                                                                                      • Instruction ID: 0054bb73cdce80869d3a005ae370aec27f5aaa1b3939ce77b35add2f21340c70
                                                                                                                                      • Opcode Fuzzy Hash: 9a244bd4681ba5175653bc367837f7f03244ebaa8fd003e23f18cbd57ef27d84
                                                                                                                                      • Instruction Fuzzy Hash: 6A41D1B1D00729CADB24DFA9C884BDDBBF5FF48305F20806AD409AB255DB756949CFA0
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A359C8 Relevance: 1.6, Strings: 1, Instructions: 320COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: d
                                                                                                                                      • API String ID: 0-2564639436
                                                                                                                                      • Opcode ID: 16da73ac322af075f3ac534862de10001a366040185e06557324853c50fa8759
                                                                                                                                      • Instruction ID: 6e05db16ec262832bb22e5dd941f487ce4e5f1a67d8b3429b069816ccffca84e
                                                                                                                                      • Opcode Fuzzy Hash: 16da73ac322af075f3ac534862de10001a366040185e06557324853c50fa8759
                                                                                                                                      • Instruction Fuzzy Hash: CCD15834A00612CFCB64DF5DC58096ABBF2FF88314729CA59E45A9B665D730FC46CB90
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 055DC9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,055DD2C6,?,?,?,?,?), ref: 055DD387
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1812091456.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_55d0000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                      • Opcode ID: 7d14463740e25de8303826f98d570ff420996ffb1b0e8f0d6d879ed4d22294a3
                                                                                                                                      • Instruction ID: e295180302a6c8f558809b610a1f1a93d6999468d8161db1da621385c4bdd7de
                                                                                                                                      • Opcode Fuzzy Hash: 7d14463740e25de8303826f98d570ff420996ffb1b0e8f0d6d879ed4d22294a3
                                                                                                                                      • Instruction Fuzzy Hash: CC21D2B59003489FDB10CF9AD984AEEFBF5FB48320F14841AE959A3350D374A954CFA5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 055DD2F9 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,055DD2C6,?,?,?,?,?), ref: 055DD387
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1812091456.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_55d0000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                      • Opcode ID: b8055d2ff0fe5b71d7f233e5085513a9b5755ca111a71654d58142c170bf8515
                                                                                                                                      • Instruction ID: e762cf39e0d7851839ae3c0ac69d00a8eab44646c540747013169e106331731f
                                                                                                                                      • Opcode Fuzzy Hash: b8055d2ff0fe5b71d7f233e5085513a9b5755ca111a71654d58142c170bf8515
                                                                                                                                      • Instruction Fuzzy Hash: A4211FB58003499FDB10CFA9E585ADEFBF4FB48320F24841AE918A7250C338AA50CF61
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 055DA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,055DB101,00000800,00000000,00000000), ref: 055DB312
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1812091456.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_55d0000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: LibraryLoad
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1029625771-0
                                                                                                                                      • Opcode ID: 7a0e4a8491400ea65cb4e05da6967eb056001fd008a13abbaf15e6658bf2b2d6
                                                                                                                                      • Instruction ID: 832893b546965a114bf85423c082680a4e1377c5b0bba80aa97e337a6319db75
                                                                                                                                      • Opcode Fuzzy Hash: 7a0e4a8491400ea65cb4e05da6967eb056001fd008a13abbaf15e6658bf2b2d6
                                                                                                                                      • Instruction Fuzzy Hash: DE1114B68003498FCB20DF9AC444A9EFBF5FB48320F11842ED919A7200C775A545CFA5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 055DB2A0 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,055DB101,00000800,00000000,00000000), ref: 055DB312
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1812091456.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_55d0000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: LibraryLoad
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1029625771-0
                                                                                                                                      • Opcode ID: c9b760718379fd0d1d7b073d78dd4c724c9a8f67b22d527d2e0c15b88ff630bf
                                                                                                                                      • Instruction ID: bc2e8538523e089404948a0e3f98897d2d7109d64237b6118c9f27066f4109ff
                                                                                                                                      • Opcode Fuzzy Hash: c9b760718379fd0d1d7b073d78dd4c724c9a8f67b22d527d2e0c15b88ff630bf
                                                                                                                                      • Instruction Fuzzy Hash: E41126BA8003098FDB10CF9AC445ADEFBF5FB48310F10842ED429A7210C779A545CFA5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 055D9838 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,055DAE4C), ref: 055DB086
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1812091456.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_55d0000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HandleModule
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                      • Opcode ID: e83cb87479a9a9a7ff55f5fe0fd7a80f47a4cf3b54df9565d824a6820d8c8923
                                                                                                                                      • Instruction ID: 18d0487c28a7f480c079b591b5ea7f3be3e472a6249cf526253f574af0374b54
                                                                                                                                      • Opcode Fuzzy Hash: e83cb87479a9a9a7ff55f5fe0fd7a80f47a4cf3b54df9565d824a6820d8c8923
                                                                                                                                      • Instruction Fuzzy Hash: F511F0B6C007498FCB20DF9AC444B9EFBF5FB89220F11845AD429B7210D375A549CFA5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A33DE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'dq
                                                                                                                                      • API String ID: 0-1167855494
                                                                                                                                      • Opcode ID: a3ae4982aeb2d4c0c8cd94eed91c2e25976a68797f4b2fd0535ed1fc0537d861
                                                                                                                                      • Instruction ID: ea76f2a993965f796e26e934ac8d7b065924e9eb73dea0975d079b7a8be650e1
                                                                                                                                      • Opcode Fuzzy Hash: a3ae4982aeb2d4c0c8cd94eed91c2e25976a68797f4b2fd0535ed1fc0537d861
                                                                                                                                      • Instruction Fuzzy Hash: 6531F431B093A14FC756AB78A85046E7BE6EFC621131544AEE04ACF791CE35EC07C7A1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A384C8 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'dq
                                                                                                                                      • API String ID: 0-1167855494
                                                                                                                                      • Opcode ID: 179d21cbcf698e0122860a0db8586c0cdac3c6b8dca1e8efec50d26814eef124
                                                                                                                                      • Instruction ID: 084000d936eb4c75ca903f79bb9e5c79032cc371a008ac3fc2327e09545452ac
                                                                                                                                      • Opcode Fuzzy Hash: 179d21cbcf698e0122860a0db8586c0cdac3c6b8dca1e8efec50d26814eef124
                                                                                                                                      • Instruction Fuzzy Hash: 25316B71B002169FCB09EB7DA5545AF3BE7AFC8201B144439E50ACB385EE39AC0687D1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3B358 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'dq
                                                                                                                                      • API String ID: 0-1167855494
                                                                                                                                      • Opcode ID: 4228fbd4c7a590cd6299e31ce74ed15eff369dd0d37a1eae665e5240236b5b47
                                                                                                                                      • Instruction ID: d10ba4dc170f147ff61695050a239d20fbd130f325caeeec4b1c43410776e790
                                                                                                                                      • Opcode Fuzzy Hash: 4228fbd4c7a590cd6299e31ce74ed15eff369dd0d37a1eae665e5240236b5b47
                                                                                                                                      • Instruction Fuzzy Hash: 8401BC3490634AAFCB01EFB8E96469D7FF2FF85200B1445A9E90597250DA302E85CB62
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A33EC8 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'dq
                                                                                                                                      • API String ID: 0-1167855494
                                                                                                                                      • Opcode ID: c1fb174a29efa24dad92200fca66b477d3b78faf3a2b39a9fc5086103cf4aac8
                                                                                                                                      • Instruction ID: 23f4d433357776c182df7ad733d89b34367b7c3e1cdc7318afc0b7ea1f532bbb
                                                                                                                                      • Opcode Fuzzy Hash: c1fb174a29efa24dad92200fca66b477d3b78faf3a2b39a9fc5086103cf4aac8
                                                                                                                                      • Instruction Fuzzy Hash: 13F090313103124FC649FB69E45096E77D7EBD9212350892DE40E8BB54EE30BD4687E5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3B368 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'dq
                                                                                                                                      • API String ID: 0-1167855494
                                                                                                                                      • Opcode ID: e4e92438c8d4bec5833d47f8558fc5487f60e6d9d9aa118e227023266b5bca0a
                                                                                                                                      • Instruction ID: 18c795a796e8d158ad93bc09e305b7fd08f40e259fbd2b38e9f0e48e5506cc9b
                                                                                                                                      • Opcode Fuzzy Hash: e4e92438c8d4bec5833d47f8558fc5487f60e6d9d9aa118e227023266b5bca0a
                                                                                                                                      • Instruction Fuzzy Hash: 13F03C74A0230AEFCB44EFB8E55465C7BF2FB95201F1485A9D90997254EF302E85CB45
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A22078 Relevance: 1.0, Instructions: 1038COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814038588.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a20000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: cccb916b025fdf55fc9283e28673368e95661b7598161243fc6b08b49c534a39
                                                                                                                                      • Instruction ID: ee4fc729e62513490fa93eb94ecf5ea81a87a4419ecb5fc2c5b199d585650f0f
                                                                                                                                      • Opcode Fuzzy Hash: cccb916b025fdf55fc9283e28673368e95661b7598161243fc6b08b49c534a39
                                                                                                                                      • Instruction Fuzzy Hash: 08925170A402189FCF559F64C951BEDBBB6FF88700F11809AE509AB3A1DB319E81DF91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A200D8 Relevance: .7, Instructions: 676COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814038588.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a20000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 9975e7e5a4bfc620bdd9ac9c56e8408ed4281c17aec780bf5efcc1dfb5145ad5
                                                                                                                                      • Instruction ID: fdc9a72dc43f1ed57c9d18dcce71feccb4bc24d8bcead2d527b6dd0b9635fd13
                                                                                                                                      • Opcode Fuzzy Hash: 9975e7e5a4bfc620bdd9ac9c56e8408ed4281c17aec780bf5efcc1dfb5145ad5
                                                                                                                                      • Instruction Fuzzy Hash: 8642853074062A8FDB64AFB8946462EBBF2FFC5701B50499CD5079B3A1CF79AC458B81
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A21FA0 Relevance: .7, Instructions: 652COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814038588.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a20000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f14c7300c6b21d1edfebed6088ca6269a4a8fd3d3407dca7c529e05c2658c6bc
                                                                                                                                      • Instruction ID: 5a673148a5c41cae21b22101acce5517d2021b8a9578f7223e38d3c885d61fd2
                                                                                                                                      • Opcode Fuzzy Hash: f14c7300c6b21d1edfebed6088ca6269a4a8fd3d3407dca7c529e05c2658c6bc
                                                                                                                                      • Instruction Fuzzy Hash: 2C428270B401149FCB589B24C995AAE77B6FFC8704F118099EA069F3A2CF71ED81DB91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A200B7 Relevance: .3, Instructions: 341COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814038588.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a20000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f3e2e148ccc9e410dfbf4636c94bb53f827b785e40ebd97c90ad19f0e58cc09c
                                                                                                                                      • Instruction ID: cb820b891808457c765c64e8166c3c6e342693c79c7cd2138ebf4ee06b50d4a8
                                                                                                                                      • Opcode Fuzzy Hash: f3e2e148ccc9e410dfbf4636c94bb53f827b785e40ebd97c90ad19f0e58cc09c
                                                                                                                                      • Instruction Fuzzy Hash: E0C19F30B402159FDB449FA9C859B7A7BFAFF89700F108059EA069B3A1CB75DC85CB91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A34AFF Relevance: .3, Instructions: 295COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d576ac1108d0ee8ceaccc25e4bacfa1e5fd80d0d760e5a44dfdf093f57029ca7
                                                                                                                                      • Instruction ID: 7f2118f3816c4dc3d7b4318abcf7b5cf4674336fbca2472a4275470e38e2b6b9
                                                                                                                                      • Opcode Fuzzy Hash: d576ac1108d0ee8ceaccc25e4bacfa1e5fd80d0d760e5a44dfdf093f57029ca7
                                                                                                                                      • Instruction Fuzzy Hash: FFC16A74B006158FCB45DF79C484AAABBF2FF89301B2585A9E546CB762DB30EC45CB60
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A240AD Relevance: .2, Instructions: 202COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814038588.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a20000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8de9cbdc8b379cc524f05e1919d584737d665261335c78710fdb539d6182204d
                                                                                                                                      • Instruction ID: 2f015ddfc3952552306f2e1c64e75852d824bf7381600b38a883400306a5971e
                                                                                                                                      • Opcode Fuzzy Hash: 8de9cbdc8b379cc524f05e1919d584737d665261335c78710fdb539d6182204d
                                                                                                                                      • Instruction Fuzzy Hash: 4C813870B002149FCB44DBA8C894EADBBF6EF89700F11809AE605DB3A2CB71ED45CB40
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A37D58 Relevance: .1, Instructions: 147COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f988dd8d106e0ada86572090bc9fd32bb95014e7f103868deee06c8fa20eb41d
                                                                                                                                      • Instruction ID: 7d9c0b6b9b5ca98d155e1fc420ecff1480b4530f3585d08e84b0160724e4e54b
                                                                                                                                      • Opcode Fuzzy Hash: f988dd8d106e0ada86572090bc9fd32bb95014e7f103868deee06c8fa20eb41d
                                                                                                                                      • Instruction Fuzzy Hash: 435126B1E003288FDB64DFA9C884BEEFBB5BF48300F248529E415AB244DB749841CF84
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A37D4C Relevance: .1, Instructions: 132COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8db2ca2a8b9c26f31f2c3310b300db612ce32a48564e2e11281a4d53fcdaa704
                                                                                                                                      • Instruction ID: 35502f03687ba1a76adde441ad9ed94a29bfd3ce33cb1afc2879feb9805e99b5
                                                                                                                                      • Opcode Fuzzy Hash: 8db2ca2a8b9c26f31f2c3310b300db612ce32a48564e2e11281a4d53fcdaa704
                                                                                                                                      • Instruction Fuzzy Hash: 615134B0D003699FDB65DFAAC885BDEFBF5BB48300F248529E405AB280DB749841CF94
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A35579 Relevance: .1, Instructions: 108COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6447ac96dfc284facb4b26608a9fb1277bf4637700979917043ef2f5bbbe049a
                                                                                                                                      • Instruction ID: a20e92b7c6f181530547deed4436479d91fc0e0b96ae5cc81ce7418d8aec4464
                                                                                                                                      • Opcode Fuzzy Hash: 6447ac96dfc284facb4b26608a9fb1277bf4637700979917043ef2f5bbbe049a
                                                                                                                                      • Instruction Fuzzy Hash: 7C415774B012209FCB16DF39D88495E7BB6EF89241B4584A9F905CB355CB30DD06CBA0
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A35588 Relevance: .1, Instructions: 96COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6e3afbc77fafb48c6d6a93b5abddf49157b5fc01dc73efe2bb718b8870a2a864
                                                                                                                                      • Instruction ID: 1e8d3f18d5208dc053caee54e3634243356c8b3ea48b178f5d0584ac522f26e8
                                                                                                                                      • Opcode Fuzzy Hash: 6e3afbc77fafb48c6d6a93b5abddf49157b5fc01dc73efe2bb718b8870a2a864
                                                                                                                                      • Instruction Fuzzy Hash: 6F315774B012209FCB45DF38D88496EBBB6FF89201B458469F906CB355DB31ED02CBA0
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A387A0 Relevance: .1, Instructions: 93COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 80f47716bdcfdb558b7ddb713082eb267fc5005205d25282d84facd2d424eb75
                                                                                                                                      • Instruction ID: f5c07f99bc51fdc5faafd24e89f23cc8220ec6384eeecfaa268c2ef41b4b74ad
                                                                                                                                      • Opcode Fuzzy Hash: 80f47716bdcfdb558b7ddb713082eb267fc5005205d25282d84facd2d424eb75
                                                                                                                                      • Instruction Fuzzy Hash: 7E4122B1D01218DFDB18DFAAD944ADEFBF6AF88300F10802AE415BB250DB34A945CF90
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A38796 Relevance: .1, Instructions: 82COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8e985d415d8e97cc50007abd98845dea386ca8b12ab161e5da65a4fccd537886
                                                                                                                                      • Instruction ID: 1b15d75329d690f460f1661a3dad6916207f9018b078763858a1715e84bb5c7b
                                                                                                                                      • Opcode Fuzzy Hash: 8e985d415d8e97cc50007abd98845dea386ca8b12ab161e5da65a4fccd537886
                                                                                                                                      • Instruction Fuzzy Hash: 873124B1D012589FDB14DFAAC944ADEFFF6AF88300F14802AE415BB290DB759945CF90
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A230FB Relevance: .1, Instructions: 78COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814038588.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a20000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d846c350eddcbbdac7961ead9cd99b3bc79a2e9cd2c46fb45ab30a4118bc5737
                                                                                                                                      • Instruction ID: ab1ea8505c6aa572b5a72760210a52c3168f16c3e9ef89b1a52d8567bad48ba3
                                                                                                                                      • Opcode Fuzzy Hash: d846c350eddcbbdac7961ead9cd99b3bc79a2e9cd2c46fb45ab30a4118bc5737
                                                                                                                                      • Instruction Fuzzy Hash: 2F215C35B40014AFCB54DF69D984EA9BBB2EF88714F1280A9F9059F3A2CB31EC01CB50
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A2360B Relevance: .1, Instructions: 78COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814038588.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a20000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 1d3ec36cd12c0dd934a401f7ea1c68079c95ebdd315ee19306778b6ce83edcf3
                                                                                                                                      • Instruction ID: a01fc054281866e1d4e5411234197c6efed50da0ba69d4099eb8d17385531719
                                                                                                                                      • Opcode Fuzzy Hash: 1d3ec36cd12c0dd934a401f7ea1c68079c95ebdd315ee19306778b6ce83edcf3
                                                                                                                                      • Instruction Fuzzy Hash: 5B217F35B400159FCB54EF29C884DAABBB2FF89714F1180A5F9099F3A2DA31EC05CB50
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A2345B Relevance: .1, Instructions: 78COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814038588.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a20000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f555180d2ec75bcb1a174387f90644996abf936c09aad3fe941fca64abeb84c9
                                                                                                                                      • Instruction ID: 3db751350ffb0495327c57b17f7b7abd5ee09c47d558a58229b76c41c81b3370
                                                                                                                                      • Opcode Fuzzy Hash: f555180d2ec75bcb1a174387f90644996abf936c09aad3fe941fca64abeb84c9
                                                                                                                                      • Instruction Fuzzy Hash: 1F216D36B40014AFCB54DF29C994DA9BBB2EF88714F1180A9F9059F362CB31EC05CB50
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A38A98 Relevance: .1, Instructions: 77COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d5922fea4abe5356adad1a8295d999e645e51a1f5b6908f15b44f15ac8998c56
                                                                                                                                      • Instruction ID: c875e29568a9afd903e54a31680f259f2afe4f546fbdaeb23d5c25e835e4997c
                                                                                                                                      • Opcode Fuzzy Hash: d5922fea4abe5356adad1a8295d999e645e51a1f5b6908f15b44f15ac8998c56
                                                                                                                                      • Instruction Fuzzy Hash: 193112B1D01259DFDB54DFA9D894ADEFBF5BF88310F24802AE409BB241C778A945CB90
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0150D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1806293579.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_150d000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0e4a59038286649a701c9e0b5a2c77001e15208f0a9c74bfeec59a225d1eb0dc
                                                                                                                                      • Instruction ID: 6206787da5501978ad890cfb66efd3cabf6601c8191e048fe19c7d1c5297be92
                                                                                                                                      • Opcode Fuzzy Hash: 0e4a59038286649a701c9e0b5a2c77001e15208f0a9c74bfeec59a225d1eb0dc
                                                                                                                                      • Instruction Fuzzy Hash: F52124B1500200DFDB02DFC8C9C0B6ABFB5FB94324F20C569E90A0F286C376E416C6A2
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A21068 Relevance: .1, Instructions: 73COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814038588.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a20000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 251fb3e8b860cb5ecb89d1b45bd27fa428ac598b6770cde19f91c3f02da7c747
                                                                                                                                      • Instruction ID: b0fb32edc84525e501d2a81b2aea30f59bff59ec8b60eecdf3b21c8deb4aaf1c
                                                                                                                                      • Opcode Fuzzy Hash: 251fb3e8b860cb5ecb89d1b45bd27fa428ac598b6770cde19f91c3f02da7c747
                                                                                                                                      • Instruction Fuzzy Hash: EC21C230B00115AFDB449BAEE9449AEB7FAFFD82107258169E9198B3A5DB30CC51C7A1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0151D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1806333089.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_151d000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: e0cc7a860761af7f635b9da15ce13fa67516f39a95eb075063094bb04e0d31f1
                                                                                                                                      • Instruction ID: 113223dcc56a6207629ff73564801dd59421bffdcce2388691c1f334aafd216e
                                                                                                                                      • Opcode Fuzzy Hash: e0cc7a860761af7f635b9da15ce13fa67516f39a95eb075063094bb04e0d31f1
                                                                                                                                      • Instruction Fuzzy Hash: FC210375604200DFEB16DF58D8C8B26BBB5FB84314F20C96DD80A0F24AD33AD847CA61
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A38F42 Relevance: .1, Instructions: 70COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: c76ebe6d4b6a72ea2ec9af77601a8b5608abeb27164500ec458763be447dbbca
                                                                                                                                      • Instruction ID: bb2f767394a8c62aa592add18da3e67807a492504cb14835e184e614b353ace7
                                                                                                                                      • Opcode Fuzzy Hash: c76ebe6d4b6a72ea2ec9af77601a8b5608abeb27164500ec458763be447dbbca
                                                                                                                                      • Instruction Fuzzy Hash: D021E2B4D0526ADFCB00DFA8D584AEEBBB1EF49301F1040AAF415AB351D7385A81CF90
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A38A8C Relevance: .1, Instructions: 70COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 018459236969ac6a52905ecc17ee4fd892df38e6732d0c1778bf1403343bb9e1
                                                                                                                                      • Instruction ID: 2c823023b6b8dbe0776bb04510f1c624b215a2977db35c74c5a52af2c65e754a
                                                                                                                                      • Opcode Fuzzy Hash: 018459236969ac6a52905ecc17ee4fd892df38e6732d0c1778bf1403343bb9e1
                                                                                                                                      • Instruction Fuzzy Hash: DE2117B0D013599FDB24DFA9C895BDEBFF9AF48310F14842AE405AB241C7749845CBA0
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A36E72 Relevance: .1, Instructions: 66COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 33a03fdb0a2fbf33585b3321079b9966ecaeac57376a80d0b1c7cf9dc62b3c10
                                                                                                                                      • Instruction ID: c873e983e26d036fb25a2b632ea68c1e22a57d32e3edb8a3b4738550db1801f6
                                                                                                                                      • Opcode Fuzzy Hash: 33a03fdb0a2fbf33585b3321079b9966ecaeac57376a80d0b1c7cf9dc62b3c10
                                                                                                                                      • Instruction Fuzzy Hash: D711C43220D3E52EC7525BA95C50CFB7FADDA8B161309419BFAD5C7083C0188A26D7B1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0151D006 Relevance: .1, Instructions: 62COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1806333089.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_151d000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 914b5a07b1f3fd382cb64947eefe2f7db7a0e2eda4e6a62bfb4f4efbd80e5f86
                                                                                                                                      • Instruction ID: 2389e5a699fe433cc7e0dad251f1709d3d48551de53fd4de92f02a459149932a
                                                                                                                                      • Opcode Fuzzy Hash: 914b5a07b1f3fd382cb64947eefe2f7db7a0e2eda4e6a62bfb4f4efbd80e5f86
                                                                                                                                      • Instruction Fuzzy Hash: BB219F755093808FDB03CF24D994B15BF71FB46214F28C5EAD8498F2A7C33A984ACB62
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0150D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1806293579.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_150d000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                      • Instruction ID: fbab301ff132113a8b63f4de89bcbd2563c5167df9f3deb458629286dd66cb5c
                                                                                                                                      • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                      • Instruction Fuzzy Hash: FA11DF76504240CFDB02CF84D5C4B5ABF72FB84324F24C2A9D9090F296C33AE45ACBA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A38350 Relevance: .0, Instructions: 50COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 385dd01de9a059cb6b46cf74a966b135efcb7d008f93422f0936892178dd04c2
                                                                                                                                      • Instruction ID: 253be5ed7ed87ed93052fba99dd15664c27051fae19612cee82ecb3ded3fa44e
                                                                                                                                      • Opcode Fuzzy Hash: 385dd01de9a059cb6b46cf74a966b135efcb7d008f93422f0936892178dd04c2
                                                                                                                                      • Instruction Fuzzy Hash: 69017172B0011A9FDF10DEA9AC44ABFF7FAEBD8651B144036E605D3240EB30991587A1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3C499 Relevance: .0, Instructions: 48COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ccc29700dd80dbfc7c330f69f8ed092f91ef64c4034ca983b9eebf8eea085531
                                                                                                                                      • Instruction ID: a732a3f9d31fe5c5499bb724bcb5bfe2424163f75aec838df5e78a91e0ed50ef
                                                                                                                                      • Opcode Fuzzy Hash: ccc29700dd80dbfc7c330f69f8ed092f91ef64c4034ca983b9eebf8eea085531
                                                                                                                                      • Instruction Fuzzy Hash: 1A01A1342043058FD316DF74E41866A3BE3FFC5312B108A2AD14A8B684CF74AD4A8B92
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3BC70 Relevance: .0, Instructions: 46COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 34178f86b8cf99b88cf87649bc595eec833b0b34b013b84f7aea69beafcde5f6
                                                                                                                                      • Instruction ID: cb86dcc0534d52a6cf401da626873c450697f24abf01e1cc1994a68ec41aa2d2
                                                                                                                                      • Opcode Fuzzy Hash: 34178f86b8cf99b88cf87649bc595eec833b0b34b013b84f7aea69beafcde5f6
                                                                                                                                      • Instruction Fuzzy Hash: 94019A3121030B5FC686A778A46452E3AE3FFE13527458828EA0B8B690DE307D868792
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0150DAC5 Relevance: .0, Instructions: 45COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1806293579.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_150d000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: c62d97b2c5bfe43db38cf09958c7349fa7b0c840f014c28525de0c1da417f660
                                                                                                                                      • Instruction ID: 0f4b1034e8c5d9fff0f944feed47660400fce656d002d3efb684efb79b088a7f
                                                                                                                                      • Opcode Fuzzy Hash: c62d97b2c5bfe43db38cf09958c7349fa7b0c840f014c28525de0c1da417f660
                                                                                                                                      • Instruction Fuzzy Hash: F301F2310087409AE7228ED9CCC4B6BBFF8FF51325F18C85AED090E2C2C6789840CA71
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3C4A8 Relevance: .0, Instructions: 42COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3acdfeba4675de4b32e75f8224af891a2aa89ede961ff4cf0e7da427ba78cfca
                                                                                                                                      • Instruction ID: e8bf4a4b34812846c773c5467ca299108c7490856aaa4d7c255eca75aa6b7f9e
                                                                                                                                      • Opcode Fuzzy Hash: 3acdfeba4675de4b32e75f8224af891a2aa89ede961ff4cf0e7da427ba78cfca
                                                                                                                                      • Instruction Fuzzy Hash: 9F019E342003098FD365EF65D01865A7BE3FBC8312F108A2DD14B8B684CF74AC4A8B92
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A35508 Relevance: .0, Instructions: 42COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 96d4cdebb24d27e33ce17ae46d85ff6ee1f8e24c5da1966efdd87e0c191a69be
                                                                                                                                      • Instruction ID: 0221e1f3b163192067fccfbbc7d5f18ddf47b1a26c827e9ce8f3ff1c6c4e3291
                                                                                                                                      • Opcode Fuzzy Hash: 96d4cdebb24d27e33ce17ae46d85ff6ee1f8e24c5da1966efdd87e0c191a69be
                                                                                                                                      • Instruction Fuzzy Hash: D5016D30E05722CFDBA9AB6DE544627B7F7BF84205714882CF4078AA14DB75F480CB90
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A367C8 Relevance: .0, Instructions: 38COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3ff2dc1832890d6176b0d6464cb42424aa4c3d1c3bcdc95a8f15fbe5fccde3a5
                                                                                                                                      • Instruction ID: e488ccc249e7c1b73ecc206027841b5c73303634d5b10d20e61553ee79fbc7bc
                                                                                                                                      • Opcode Fuzzy Hash: 3ff2dc1832890d6176b0d6464cb42424aa4c3d1c3bcdc95a8f15fbe5fccde3a5
                                                                                                                                      • Instruction Fuzzy Hash: C8F0CD31B443207FC7219A69AC45F967FEAEB86720F048126F214CF1E2D6B1E8469390
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A38F50 Relevance: .0, Instructions: 37COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 20b6329f6777f713e7d33b8d0ea7ef78eaa9a333251f1449c20d28fc486e56d8
                                                                                                                                      • Instruction ID: 52d1ba5555fa7ff93d247878826c43669747d7cc1517ed37dac93fca0329f2d9
                                                                                                                                      • Opcode Fuzzy Hash: 20b6329f6777f713e7d33b8d0ea7ef78eaa9a333251f1449c20d28fc486e56d8
                                                                                                                                      • Instruction Fuzzy Hash: 8401D2B4D0421AEFCB44EFA9D9456AEFBF5BF48301F1090AAE815A3340E7780A40DF90
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0150DAC4 Relevance: .0, Instructions: 36COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1806293579.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_150d000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 95443fbd585aa4468a24d232cd09712b4e648c6ad667d985efab91f1fdf8f13d
                                                                                                                                      • Instruction ID: cf557eacc2165b6b091bdbf40e8f44ad94381f27af59ecd4d8c6fd07565bb6f9
                                                                                                                                      • Opcode Fuzzy Hash: 95443fbd585aa4468a24d232cd09712b4e648c6ad667d985efab91f1fdf8f13d
                                                                                                                                      • Instruction Fuzzy Hash: C0F0C232004740AEE7218E89CC84B66FFE8EB40334F18C15AED080F2C6C6789840CE70
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A36EA0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 9903350e166943860c9f686600abee12217df2f6fe96a7ac794a93da0d249321
                                                                                                                                      • Instruction ID: e8c095cdcf3a333dbef1433273def7df244ba27d4231e9fb14c234a24334b90e
                                                                                                                                      • Opcode Fuzzy Hash: 9903350e166943860c9f686600abee12217df2f6fe96a7ac794a93da0d249321
                                                                                                                                      • Instruction Fuzzy Hash: 40F012622041E93F8B558F9A5C10CFB7FEDDA8E1617084156FE99D2191C429C921ABB0
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3C110 Relevance: .0, Instructions: 34COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f68e5b36049fa20dcef02393b96e5773129c0b9f82685f7c925eb7c0d6163d80
                                                                                                                                      • Instruction ID: a6e36d15d359faa5376304aa9cafa18120a80b4f1b612d434667b44bfa5ec24c
                                                                                                                                      • Opcode Fuzzy Hash: f68e5b36049fa20dcef02393b96e5773129c0b9f82685f7c925eb7c0d6163d80
                                                                                                                                      • Instruction Fuzzy Hash: 52F0BB3010A7E05FC312D739E81879B7FF6DF82255F08455AF246CB252CA656D0587A2
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A38FC0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 38c59729e90607b2445a750cbe1b49e2f07e1f0282c867ea97123e202f41646b
                                                                                                                                      • Instruction ID: e93bcc05aed2e674b7bcfa40d06febaa0e6dc118cd7974562e70bac006610422
                                                                                                                                      • Opcode Fuzzy Hash: 38c59729e90607b2445a750cbe1b49e2f07e1f0282c867ea97123e202f41646b
                                                                                                                                      • Instruction Fuzzy Hash: F0F0A9B0C082699FDB00DFA4C8060AEBFB0EF5A201F04418AF406EB351E6394A01CB40
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A38341 Relevance: .0, Instructions: 28COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 9f132019696fbe9de6bc5936d18a3140bde0c7e92c6013e6de70ad36a9e331de
                                                                                                                                      • Instruction ID: 3f40d771494a19d9363d09e760de1621015ff211fac97ba46938c57e413d1511
                                                                                                                                      • Opcode Fuzzy Hash: 9f132019696fbe9de6bc5936d18a3140bde0c7e92c6013e6de70ad36a9e331de
                                                                                                                                      • Instruction Fuzzy Hash: 44F0EC757082564FCF11DA68D8445FEBFA9AF8516070C005BD550CB141D7354519C7D1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3ADF8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 10f601c961309a3c2626af20a89b43fc84fe4db8698f3e318ea87d9ce6de2364
                                                                                                                                      • Instruction ID: 54f956b446a94a47a8708b44d10042c1a91c161da1ca25c2df9c7bfffbec80ee
                                                                                                                                      • Opcode Fuzzy Hash: 10f601c961309a3c2626af20a89b43fc84fe4db8698f3e318ea87d9ce6de2364
                                                                                                                                      • Instruction Fuzzy Hash: 42E092312013116FC3506B9AA458A9E7ADAFBC9351B01443CF20EC7281CE61280587A5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A35698 Relevance: .0, Instructions: 27COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: cf3ad6090454c041dafeafdb21f8e39cc611499801bff594137327b0153dac9a
                                                                                                                                      • Instruction ID: c271468dc3bed2c59102312e0e783e783d432b1dcae73ab62b85116abf15c082
                                                                                                                                      • Opcode Fuzzy Hash: cf3ad6090454c041dafeafdb21f8e39cc611499801bff594137327b0153dac9a
                                                                                                                                      • Instruction Fuzzy Hash: 73E06DB211D321AFC341DB34AC04897BBEDEF91220B05886EF084CB141E731D841CBB5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3C180 Relevance: .0, Instructions: 27COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 076d9ac3fea926f1a2335ec865d9ff9b85ee14f54171b9bc56bbc748e6a655c0
                                                                                                                                      • Instruction ID: 268c1e9490f715f0777377679cb21e37f24e706245212626d29784b21031b75b
                                                                                                                                      • Opcode Fuzzy Hash: 076d9ac3fea926f1a2335ec865d9ff9b85ee14f54171b9bc56bbc748e6a655c0
                                                                                                                                      • Instruction Fuzzy Hash: 24F09075501B058FD725DF26E408652BBF7FB88311B00C62EE98B82A10DB70B949CF85
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3B500 Relevance: .0, Instructions: 26COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f6fef94db6b835bb06e675c674266ece725eed776b7b2b9620ca590202883770
                                                                                                                                      • Instruction ID: c5b2ddfd557b694dd76df6fb2f2f3fb15b535d9543761d950de265a12953b2fb
                                                                                                                                      • Opcode Fuzzy Hash: f6fef94db6b835bb06e675c674266ece725eed776b7b2b9620ca590202883770
                                                                                                                                      • Instruction Fuzzy Hash: 6EF03975D0120CBFCB01DFB4E9589CDBFB9FB44200F1042A6E905E3240EA306B45CB91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3C120 Relevance: .0, Instructions: 25COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 16f3a06b1ad25cb9ee72960244f278af90aa34b33753766f3cc4a4e0a286b756
                                                                                                                                      • Instruction ID: 399ad7ec31b7d069288f79e51746f6c0568b6aa8493cc3f86f8ed8bbbb34b646
                                                                                                                                      • Opcode Fuzzy Hash: 16f3a06b1ad25cb9ee72960244f278af90aa34b33753766f3cc4a4e0a286b756
                                                                                                                                      • Instruction Fuzzy Hash: 19E0A0302007654FC321EB29E41879E7BE6EB85216F040929E24687640CBA1BC018792
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3CC38 Relevance: .0, Instructions: 25COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: bb056ece057a05a5959d8bd9fd15db2480aa655106b86fa41c38761a422bb7e2
                                                                                                                                      • Instruction ID: b4229f25f132233004a0ed6c88794e9c3c888b850e108690031812d0ea047849
                                                                                                                                      • Opcode Fuzzy Hash: bb056ece057a05a5959d8bd9fd15db2480aa655106b86fa41c38761a422bb7e2
                                                                                                                                      • Instruction Fuzzy Hash: 6FE048321063616FC652DB16FC14DDB3B65E786651B014155E109C7651DE381D8787D1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3C185 Relevance: .0, Instructions: 24COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6fc7c2df21e84318459af6a9d381b73ef150dd24f149d3185be3f4392eec14e7
                                                                                                                                      • Instruction ID: f10c1bd85f2ed5c4d30bcbefa7c46385b5ea7ae99b411452c707d33eaafe7c2f
                                                                                                                                      • Opcode Fuzzy Hash: 6fc7c2df21e84318459af6a9d381b73ef150dd24f149d3185be3f4392eec14e7
                                                                                                                                      • Instruction Fuzzy Hash: 04F05E75501B058FD725DF22E048256BBF3FB88301B00C61DD98B82A54DB30B949CF81
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3CE88 Relevance: .0, Instructions: 24COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8012036ad2fe05e6fcfd61369ca091ee034528caa2e85eb81150de03ea54bb1a
                                                                                                                                      • Instruction ID: 31dce1d547bb694078ffaf32a53e36ed29aef766d185059284061139cc640297
                                                                                                                                      • Opcode Fuzzy Hash: 8012036ad2fe05e6fcfd61369ca091ee034528caa2e85eb81150de03ea54bb1a
                                                                                                                                      • Instruction Fuzzy Hash: 9DE02071407351BFC7429324B8145D53FA5EB432117158055FC49CB551DF380CC283D1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3E280 Relevance: .0, Instructions: 23COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3f9159cb52370bbc3c540418d6d86883b935a62920fd8ba00be28325628746b8
                                                                                                                                      • Instruction ID: a9cfa475497171ebb5cf9054d69877e901d88da7bcf1b8fd0374b3398163628a
                                                                                                                                      • Opcode Fuzzy Hash: 3f9159cb52370bbc3c540418d6d86883b935a62920fd8ba00be28325628746b8
                                                                                                                                      • Instruction Fuzzy Hash: 61E026324013226FC746A726BD115483BA1F75A300F020157EC09DB6B0CF280ECB8BE3
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3E1FF Relevance: .0, Instructions: 22COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: e9b69a9eebdc7d9a7ebce4020cea6fd319fdbeaa6f03c05a69de2fd06d58a3de
                                                                                                                                      • Instruction ID: 3c990344e67b93177aba052d50842f5702d68dd0d13deeeca48992bd418167e7
                                                                                                                                      • Opcode Fuzzy Hash: e9b69a9eebdc7d9a7ebce4020cea6fd319fdbeaa6f03c05a69de2fd06d58a3de
                                                                                                                                      • Instruction Fuzzy Hash: 89E02071909319FFCB02CF6CEC5049D3BF1EB8210572046D6D909D7290E5300F158751
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3AC80 Relevance: .0, Instructions: 20COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 4d6df85a7f8d0a23faec6a411ffd2dac32393f8682a821cb42fba8ba97d768f5
                                                                                                                                      • Instruction ID: 012fc76a92fd437ce058465036b3f4f6d75680ce3e30ccbbbb3e9afb51957ac8
                                                                                                                                      • Opcode Fuzzy Hash: 4d6df85a7f8d0a23faec6a411ffd2dac32393f8682a821cb42fba8ba97d768f5
                                                                                                                                      • Instruction Fuzzy Hash: FED02B71321325678645276EB4184BE37DBEBD42223004039EA0BC7340CE203C0683D5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3B510 Relevance: .0, Instructions: 19COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 795f87e9467438360f13e745b86151ec54cfb5805ee7c1d65e81800bab37c909
                                                                                                                                      • Instruction ID: fa3ff8f1a45018e7b18fae6cc87e49c9621430bb199c83111a7017610d7aafb9
                                                                                                                                      • Opcode Fuzzy Hash: 795f87e9467438360f13e745b86151ec54cfb5805ee7c1d65e81800bab37c909
                                                                                                                                      • Instruction Fuzzy Hash: BEE09275D0020CEFCB40DFE4E9449DDBBB9EB48200F1082AADA09A3200EB306B55DF81
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3E90D Relevance: .0, Instructions: 18COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 46e30569c95e4c84d66558ff26fdafe506e387a778ee9d9347edfcd87e3bf4a8
                                                                                                                                      • Instruction ID: 369ceb459f46ef4c57ba200d32ec08ce0475ac552f52d910bc8f3124d4e127de
                                                                                                                                      • Opcode Fuzzy Hash: 46e30569c95e4c84d66558ff26fdafe506e387a778ee9d9347edfcd87e3bf4a8
                                                                                                                                      • Instruction Fuzzy Hash: 26D01776A9A291DFC3836B74DA54A813F76AF47251B1940C2E484CF177D2264C18DFA2
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3E210 Relevance: .0, Instructions: 16COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: e0563df809a2d72f0ff7ec09b52f8f81d601ea73e9347fc19a89131803c2284d
                                                                                                                                      • Instruction ID: be2be01282bf777c7fbf08ea6b7f7f16ea6a4f8d08a4cfa1c85a169427ae6b96
                                                                                                                                      • Opcode Fuzzy Hash: e0563df809a2d72f0ff7ec09b52f8f81d601ea73e9347fc19a89131803c2284d
                                                                                                                                      • Instruction Fuzzy Hash: BDD05EB2A0120DFFCB41DFACE90095DB7FAEB84205B1089A9D90DE7200EA312F009B91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3F8EA Relevance: .0, Instructions: 14COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 2ec3910216d86669f834a1c36efcd520a3e96caa97a5c2f5ef11b9d929d95e2f
                                                                                                                                      • Instruction ID: ffb7db3c6e86d439ad1000278d1098bea100ac2d00654d4fc608dafeeabc338d
                                                                                                                                      • Opcode Fuzzy Hash: 2ec3910216d86669f834a1c36efcd520a3e96caa97a5c2f5ef11b9d929d95e2f
                                                                                                                                      • Instruction Fuzzy Hash: EEC012727002210B8284A6AC703006D76D7B7C82A3386402BEB0EC3388CD609C424385
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A33721 Relevance: .0, Instructions: 13COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: fa7a5bd9310860675e39771a884542da3661789edb513ce505660de8553080b5
                                                                                                                                      • Instruction ID: 2d2f980c5ec12e3cfb5fcd10d60c82141111bc39b3b9116cdefa99b9e33a9cda
                                                                                                                                      • Opcode Fuzzy Hash: fa7a5bd9310860675e39771a884542da3661789edb513ce505660de8553080b5
                                                                                                                                      • Instruction Fuzzy Hash: 39C0123014A3A02FC71306202C05D977E269781B00B064086F2448B4D3C6614524D2F2
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3DFD1 Relevance: .0, Instructions: 9COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: e53389c5d0801d365bda2b3832f4101f355b949ff0f38db9772753f6517a1147
                                                                                                                                      • Instruction ID: f78418f1c829f989b2639b496c414419dae1010715bab6031a1c8f0e0821b354
                                                                                                                                      • Opcode Fuzzy Hash: e53389c5d0801d365bda2b3832f4101f355b949ff0f38db9772753f6517a1147
                                                                                                                                      • Instruction Fuzzy Hash: D4C09B7698B7D46EDF0217349C1D4857E567F9276171540D7F3418D062F7510505C791
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 06A36FE8 Relevance: .8, Instructions: 787COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 88cb77c9c77e15b76bdc55c6d42be51e474e4fb28b59f4efd636abd6c9afdbd0
                                                                                                                                      • Instruction ID: 9b22137acc735fc5227e8a4b5bf8169c6c573ab89e6d34d50a65cc90ba7f01c6
                                                                                                                                      • Opcode Fuzzy Hash: 88cb77c9c77e15b76bdc55c6d42be51e474e4fb28b59f4efd636abd6c9afdbd0
                                                                                                                                      • Instruction Fuzzy Hash: F5621CB06103019FD789EF98D45872A7AD6FB84308F24C45CD10E8F396DBBAD94B8B91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A36FF8 Relevance: .8, Instructions: 780COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3cebd69b5b64401c856f3118c29bc81d724709c12f97095d5959851fe69ea8e6
                                                                                                                                      • Instruction ID: ebacb2877b71d9b6252c3baa2b81364dd72186f2cc810cf5cf1c6a415c9a6637
                                                                                                                                      • Opcode Fuzzy Hash: 3cebd69b5b64401c856f3118c29bc81d724709c12f97095d5959851fe69ea8e6
                                                                                                                                      • Instruction Fuzzy Hash: FC621CB06103019FD789EF98D45872A7AD6FB84308F24C45CD10E9F396DBBAD94B8B91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 07E14E37 Relevance: .3, Instructions: 273COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1819310481.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7e10000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: cdd0cf7257cd6ef9edb4f2e5f649d68cb9f656736cf3321a94f73d43e5febfdd
                                                                                                                                      • Instruction ID: f78078d922ba5281780761d0cd655e020d77cfdd2bfc9617a2b03d9b8772c79e
                                                                                                                                      • Opcode Fuzzy Hash: cdd0cf7257cd6ef9edb4f2e5f649d68cb9f656736cf3321a94f73d43e5febfdd
                                                                                                                                      • Instruction Fuzzy Hash: CED1F931C2075ADACB11EBA4D950699B7B1FFE5300F11CB9AE0093B624EB706ED5CB91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 07E14E48 Relevance: .3, Instructions: 264COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1819310481.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7e10000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: e54f1223a8a6aa2808a8345a525c28b6468859ac51f5a9e987a544e7a9f7c1b7
                                                                                                                                      • Instruction ID: 388fdfe2e44988be0717802efe5694e966c07c189baa880fca7043f178575c4e
                                                                                                                                      • Opcode Fuzzy Hash: e54f1223a8a6aa2808a8345a525c28b6468859ac51f5a9e987a544e7a9f7c1b7
                                                                                                                                      • Instruction Fuzzy Hash: 87D1E935C2075ADACB11EBA4D950699B7B1FFE5300F20CB9AD10937624EB706EC5CB91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 055DDC74 Relevance: .3, Instructions: 264COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1812091456.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_55d0000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 1c7dbf741ffa2e0891d6e00d1f24bf9bc0edd0f7ad439a6412b88a1798a4b928
                                                                                                                                      • Instruction ID: c46ee458bac9231d9cde7d7debc2248cac361c95b63807ab0f9fa02eb35c18f9
                                                                                                                                      • Opcode Fuzzy Hash: 1c7dbf741ffa2e0891d6e00d1f24bf9bc0edd0f7ad439a6412b88a1798a4b928
                                                                                                                                      • Instruction Fuzzy Hash: 82A16036F0021A8FCF15DFB9C8445AEFBB2FF84300B15856AE806AB265DB71D955CB90
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 07E1A2DD Relevance: .2, Instructions: 187COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1819310481.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7e10000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: e0455608ccb60d6775f59849238a71eff1a0a655a4200079532dfc67adb96eb0
                                                                                                                                      • Instruction ID: 03b486fe363bd6232dc87d5bd6100a249af279db8a871c41b8bb66ca62a14a80
                                                                                                                                      • Opcode Fuzzy Hash: e0455608ccb60d6775f59849238a71eff1a0a655a4200079532dfc67adb96eb0
                                                                                                                                      • Instruction Fuzzy Hash: 0791A5B0D012298FDB69DF69C9517DEBBB2BF88300F10C1EAC509AB294DB355A85CF50
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 06A3ED10 Relevance: 5.2, Strings: 4, Instructions: 246COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1814073839.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_6a30000_44QHzbqD3m.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: (_dq$(_dq$(_dq$(_dq
                                                                                                                                      • API String ID: 0-2092114380
                                                                                                                                      • Opcode ID: 9091919396cfc4c2e3755340c6e8c5cc0dc3dbd984b47af89551644aef28b417
                                                                                                                                      • Instruction ID: 9cb787ce2a9f5bfe046d5cd4d055ae7481540f8f351345264e840c13c27b85ff
                                                                                                                                      • Opcode Fuzzy Hash: 9091919396cfc4c2e3755340c6e8c5cc0dc3dbd984b47af89551644aef28b417
                                                                                                                                      • Instruction Fuzzy Hash: C591B139A04355AFDB45AF78C4205AE7BF2FF85300B24856AE9069F381DA35DD06CBD1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%