Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
o8uKhd6peZ.exe

Overview

General Information

Sample name:o8uKhd6peZ.exe
renamed because original name is a hash value
Original sample name:e0f2b2303fd1c9e71cee34f2df8f8011.exe
Analysis ID:1431056
MD5:e0f2b2303fd1c9e71cee34f2df8f8011
SHA1:be89a535c4d9c5d417556cab1537b82050cf6078
SHA256:d7603ee9b4ae922bee366a81374ad3234851c93f78a22023cc612dc0e148b816
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Installs new ROOT certificates
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • o8uKhd6peZ.exe (PID: 2888 cmdline: "C:\Users\user\Desktop\o8uKhd6peZ.exe" MD5: E0F2B2303FD1C9E71CEE34F2DF8F8011)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["103.113.70.99:2630"], "Bot Id": "spoo", "Authorization Header": "a442868c38da8722ebccd4819def00b2"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
o8uKhd6peZ.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1987821634.0000000000D62000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000000.00000002.2156486982.0000000003512000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Process Memory Space: o8uKhd6peZ.exe PID: 2888JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 1 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.o8uKhd6peZ.exe.d60000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:04/24/24-14:16:57.216658
                    SID:2046045
                    Source Port:49705
                    Destination Port:2630
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-14:16:57.437568
                    SID:2043234
                    Source Port:2630
                    Destination Port:49705
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-14:17:02.760215
                    SID:2046056
                    Source Port:2630
                    Destination Port:49705
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-14:17:10.652826
                    SID:2043231
                    Source Port:49705
                    Destination Port:2630
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: o8uKhd6peZ.exeMalware Configuration Extractor: RedLine {"C2 url": ["103.113.70.99:2630"], "Bot Id": "spoo", "Authorization Header": "a442868c38da8722ebccd4819def00b2"}
                    Multi AV Scanner detection for submitted file
                    Source: o8uKhd6peZ.exeVirustotal: Detection: 61%Perma Link
                    Source: o8uKhd6peZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: o8uKhd6peZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h0_2_07F40040
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 4x nop then jmp 07F48E8Dh0_2_07F48E6C

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.5:49705 -> 103.113.70.99:2630
                    Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49705 -> 103.113.70.99:2630
                    Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 103.113.70.99:2630 -> 192.168.2.5:49705
                    Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 103.113.70.99:2630 -> 192.168.2.5:49705
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 103.113.70.99:2630
                    Source: global trafficTCP traffic: 192.168.2.5:49705 -> 103.113.70.99:2630
                    Source: Joe Sandbox ViewIP Address: 103.113.70.99 103.113.70.99
                    Source: Joe Sandbox ViewASN Name: NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.000000000344D000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003512000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000034DE000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.000000000344D000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003512000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003512000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                    Source: o8uKhd6peZ.exeString found in binary or memory: https://api.ip.sb/ip
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile created: C:\Users\user\AppData\Local\Temp\TmpFD55.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile created: C:\Users\user\AppData\Local\Temp\TmpFD66.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_02FFDC740_2_02FFDC74
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_069AA3E60_2_069AA3E6
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_069A3F500_2_069A3F50
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_069A6FF80_2_069A6FF8
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_069A6FE80_2_069A6FE8
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_07F4B6B10_2_07F4B6B1
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_07F481C00_2_07F481C0
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_07F48F200_2_07F48F20
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_07F466800_2_07F46680
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_07F4666F0_2_07F4666F
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_07F400400_2_07F40040
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_07F400070_2_07F40007
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_07F48F110_2_07F48F11
                    Source: o8uKhd6peZ.exe, 00000000.00000000.1987886749.0000000000DA6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUpspearing.exe8 vs o8uKhd6peZ.exe
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2153274825.000000000132E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs o8uKhd6peZ.exe
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000033F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirefox.exe0 vs o8uKhd6peZ.exe
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000033F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $jq,\\StringFileInfo\\000004B0\\OriginalFilename vs o8uKhd6peZ.exe
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000033F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs o8uKhd6peZ.exe
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000033F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $jq,\\StringFileInfo\\040904B0\\OriginalFilename vs o8uKhd6peZ.exe
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000033F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs o8uKhd6peZ.exe
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000033F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs o8uKhd6peZ.exe
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000033F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $jq,\\StringFileInfo\\080904B0\\OriginalFilename vs o8uKhd6peZ.exe
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000033F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs o8uKhd6peZ.exe
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs o8uKhd6peZ.exe
                    Source: o8uKhd6peZ.exeBinary or memory string: OriginalFilenameUpspearing.exe8 vs o8uKhd6peZ.exe
                    Source: o8uKhd6peZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/5@0/1
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile created: C:\Users\user\AppData\Local\Temp\TmpFD55.tmpJump to behavior
                    Source: o8uKhd6peZ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: o8uKhd6peZ.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: o8uKhd6peZ.exeVirustotal: Detection: 61%
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: esdsip.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                    Source: Google Chrome.lnk.0.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: o8uKhd6peZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: o8uKhd6peZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: o8uKhd6peZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: o8uKhd6peZ.exeStatic PE information: 0xF0DBE6BE [Sun Jan 19 04:14:54 2098 UTC]
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_069AE069 push es; ret 0_2_069AE070
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_069AECF2 push eax; ret 0_2_069AED01
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_07F47538 push eax; ret 0_2_07F47542
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_07F47528 push eax; ret 0_2_07F47532
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_07F47518 push eax; ret 0_2_07F47522
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_07F47508 push eax; ret 0_2_07F47512
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_07F474D8 push eax; ret 0_2_07F474D2
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_07F474D8 push eax; ret 0_2_07F47502
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeCode function: 0_2_07F474A8 push eax; ret 0_2_07F474D2

                    Persistence and Installation Behavior

                    barindex
                    Installs new ROOT certificates
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeMemory allocated: 2FF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeMemory allocated: 30B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeMemory allocated: 50B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeWindow / User API: threadDelayed 1268Jump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeWindow / User API: threadDelayed 8503Jump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exe TID: 6348Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2166810752.0000000006A0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllwx|
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2163465939.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeQueries volume information: C:\Users\user\Desktop\o8uKhd6peZ.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: o8uKhd6peZ.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.o8uKhd6peZ.exe.d60000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1987821634.0000000000D62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: o8uKhd6peZ.exe PID: 2888, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003512000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $jq2C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2169998356.0000000007AEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\*.json\
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003512000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLRjq
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2169998356.0000000007AEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\*.json\
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003512000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $jq%appdata%`,jqdC:\Users\user\AppData\Roaming`,jqdC:\Users\user\AppData\Roaming\Binance
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003512000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $jq&%localappdata%\Coinomi\Coinomi\walletsLRjq
                    Source: o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003512000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $jq6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Users\user\Desktop\o8uKhd6peZ.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: Yara matchFile source: 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2156486982.0000000003512000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: o8uKhd6peZ.exe PID: 2888, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: o8uKhd6peZ.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.o8uKhd6peZ.exe.d60000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1987821634.0000000000D62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: o8uKhd6peZ.exe PID: 2888, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		221
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol3
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                    Virtualization/Sandbox Evasion                    		Security Account Manager241
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                    Obfuscated Files or Information                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Install Root Certificate                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Timestomp                    		Cached Domain Credentials113
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    o8uKhd6peZ.exe62%VirustotalBrowse

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ip.sb/ip0%URL Reputationsafe
                    http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                    http://tempuri.org/0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id12Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id81%VirustotalBrowse
                    http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21Response4%VirustotalBrowse
                    http://tempuri.org/Entity/Id2Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                    http://tempuri.org/2%VirustotalBrowse
                    http://tempuri.org/Entity/Id91%VirustotalBrowse
                    http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id51%VirustotalBrowse
                    http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id71%VirustotalBrowse
                    http://tempuri.org/Entity/Id23ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id61%VirustotalBrowse
                    http://tempuri.org/Entity/Id41%VirustotalBrowse
                    http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id19Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id14ResponseD2%VirustotalBrowse
                    http://tempuri.org/Entity/Id13ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id5ResponseD2%VirustotalBrowse
                    http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id9Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id1ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id201%VirustotalBrowse
                    http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id221%VirustotalBrowse
                    http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id241%VirustotalBrowse
                    http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id231%VirustotalBrowse
                    http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id1Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id211%VirustotalBrowse
                    http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id101%VirustotalBrowse
                    http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id16Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id111%VirustotalBrowse
                    http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id131%VirustotalBrowse
                    http://tempuri.org/Entity/Id121%VirustotalBrowse
                    http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id24Response1%VirustotalBrowse
                    http://tempuri.org/Entity/Id151%VirustotalBrowse
                    http://tempuri.org/Entity/Id141%VirustotalBrowse
                    http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id161%VirustotalBrowse
                    http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id8ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id5Response1%VirustotalBrowse
                    http://tempuri.org/Entity/Id171%VirustotalBrowse
                    http://tempuri.org/Entity/Id181%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Texto8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/02/sc/scto8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dko8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id14ResponseDo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id23ResponseDo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id12Responseo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id2Responseo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id21Responseo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 4%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrapo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id9o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 1%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id8o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003512000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id6ResponseDo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id5o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepareo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id4o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id7o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id6o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecreto8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id19Responseo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 2%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issueo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id13ResponseDo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • 1%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/faulto8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2004/10/wsato8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id15Responseo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • 2%, Virustotal, Browse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://tempuri.org/Entity/Id5ResponseDo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • 2%, Virustotal, Browse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registero8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id6Responseo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • 2%, Virustotal, Browse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://api.ip.sb/ipo8uKhd6peZ.exefalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2004/04/sco8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Entity/Id1ResponseDo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • 1%, Virustotal, Browse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancelo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id9Responseo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • 2%, Virustotal, Browse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id20o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • 1%, Virustotal, Browse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id21o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • 1%, Virustotal, Browse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id22o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • 1%, Virustotal, Browse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id23o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • 1%, Virustotal, Browse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id24o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 1%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issueo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id24Responseo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 1%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://tempuri.org/Entity/Id1Responseo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 2%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Replayo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binaryo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id21ResponseDo8uKhd6peZ.exe, 00000000.00000002.2156486982.000000000344D000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • 1%, Virustotal, Browse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressingo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issueo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Completiono8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/04/trusto8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/Entity/Id10o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 1%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id11o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 1%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id10ResponseDo8uKhd6peZ.exe, 00000000.00000002.2156486982.000000000344D000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 1%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id12o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 1%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id16Responseo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 2%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancelo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://tempuri.org/Entity/Id13o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • 1%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id14o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • 1%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id15o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • 1%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id16o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • 1%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/Nonceo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id17o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id18o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000034DE000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id5Responseo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id19o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnso8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id15ResponseDo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003512000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id10Responseo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/Renewo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id11ResponseDo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id8Responseo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2006/02/addressingidentityo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id17ResponseDo8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/soap/envelope/o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id8ResponseDo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003512000.00000004.00000800.00020000.00000000.sdmp, o8uKhd6peZ.exe, 00000000.00000002.2156486982.00000000031D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyo8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1o8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trusto8uKhd6peZ.exe, 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            103.113.70.99
                                                                                                                            		unknownIndia
                                                                                                                            		133973NETCONNECTWIFI-ASNetConnectWifiPvtLtdINtrue

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                            Analysis ID:1431056
                                                                                                                            Start date and time:2024-04-24 14:16:09 +02:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 5m 0s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:4
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:0
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:o8uKhd6peZ.exe
                                                                                                                            renamed because original name is a hash value
                                                                                                                            Original Sample Name:e0f2b2303fd1c9e71cee34f2df8f8011.exe
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@1/5@0/1
                                                                                                                            EGA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            • Number of executed functions: 81
                                                                                                                            • Number of non-executed functions: 15
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            14:17:03API Interceptor58x Sleep call for process: o8uKhd6peZ.exe modified

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            103.113.70.99vguZEL1YWf.exeGet hashmaliciousRedLineBrowse
                                                                                                                              djiwhBMknd.exeGet hashmaliciousRedLineBrowse
                                                                                                                                ExAXLXWP9K.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  44QHzbqD3m.exeGet hashmaliciousRedLineBrowse
                                                                                                                                    3q1lESMAMh.exeGet hashmaliciousRedLineBrowse
                                                                                                                                      fkmfYBX2c6.exeGet hashmaliciousRedLineBrowse
                                                                                                                                        IcDaW5Yzvb.exeGet hashmaliciousRedLineBrowse
                                                                                                                                          W8Q1QyZc1j.exeGet hashmaliciousRedLineBrowse
                                                                                                                                            W8Q1QyZc1j.exeGet hashmaliciousRedLineBrowse

                                                                                                                                              Domains

                                                                                                                                              No context

                                                                                                                                              ASNs

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                              NETCONNECTWIFI-ASNetConnectWifiPvtLtdINvguZEL1YWf.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 103.113.70.99
                                                                                                                                              djiwhBMknd.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 103.113.70.99
                                                                                                                                              ExAXLXWP9K.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 103.113.70.99
                                                                                                                                              44QHzbqD3m.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 103.113.70.99
                                                                                                                                              3q1lESMAMh.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 103.113.70.99
                                                                                                                                              fkmfYBX2c6.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 103.113.70.99
                                                                                                                                              IcDaW5Yzvb.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 103.113.70.99
                                                                                                                                              W8Q1QyZc1j.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 103.113.70.99
                                                                                                                                              W8Q1QyZc1j.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 103.113.70.99
                                                                                                                                              https://www.wsj.pm/download.phpGet hashmaliciousNetSupport RATBrowse
                                                                                                                                              • 103.113.70.37

                                                                                                                                              JA3 Fingerprints

                                                                                                                                              No context

                                                                                                                                              Dropped Files

                                                                                                                                              No context

                                                                                                                                              Created / dropped Files

                                                                                                                                              C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\Desktop\o8uKhd6peZ.exe
                                                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 13:16:52 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):2104
                                                                                                                                              Entropy (8bit):3.450348412174441
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:48:8SZl2dfTXdARYrnvPdAKRkdAGdAKRFdAKRE:8SZlO7
                                                                                                                                              MD5:C87B5B9316D61B764B5EABDAF6A76441
                                                                                                                                              SHA1:12CAF6448A3A679749D14A5EE491D7FF3954DB19
                                                                                                                                              SHA-256:6FC9FD3B7E37D31A95153912EC2A2544E6F542662EFF865E2BB74B0E8408E12A
                                                                                                                                              SHA-512:298AC170B7BDE1750FE6728C1DCFA1E03413AD3520714854219B8AF5026CFD56FEBD1EA61001A5B767292A8206C4B2D5BD16180CCDFA744F5CF30C31C09CC596
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              Preview:L..................F.@.. ......,....'*Fl.......q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IDW.r....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWUl....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWUl....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWUl..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDW.r..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\o8uKhd6peZ.exe.log

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\Desktop\o8uKhd6peZ.exe
                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):3274
                                                                                                                                              Entropy (8bit):5.3318368586986695
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
                                                                                                                                              MD5:0B2E58EF6402AD69025B36C36D16B67F
                                                                                                                                              SHA1:5ECC642327EF5E6A54B7918A4BD7B46A512BF926
                                                                                                                                              SHA-256:4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
                                                                                                                                              SHA-512:1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                              C:\Users\user\AppData\Local\Temp\TmpFD55.tmp

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\Desktop\o8uKhd6peZ.exe
                                                                                                                                              File Type:data
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):2662
                                                                                                                                              Entropy (8bit):7.8230547059446645
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                              MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                              SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                              SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                              SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                              Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                              C:\Users\user\AppData\Local\Temp\TmpFD66.tmp

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\Desktop\o8uKhd6peZ.exe
                                                                                                                                              File Type:data
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):2662
                                                                                                                                              Entropy (8bit):7.8230547059446645
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                              MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                              SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                              SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                              SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                              Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\Desktop\o8uKhd6peZ.exe
                                                                                                                                              File Type:data
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):2251
                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3::
                                                                                                                                              MD5:0158FE9CEAD91D1B027B795984737614
                                                                                                                                              SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                                                                                                                                              SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                                                                                                                                              SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                              Static File Info

                                                                                                                                              General

                                                                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                              Entropy (8bit):5.0636471796794185
                                                                                                                                              TrID:
                                                                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                              File name:o8uKhd6peZ.exe
                                                                                                                                              File size:312'804 bytes
                                                                                                                                              MD5:e0f2b2303fd1c9e71cee34f2df8f8011
                                                                                                                                              SHA1:be89a535c4d9c5d417556cab1537b82050cf6078
                                                                                                                                              SHA256:d7603ee9b4ae922bee366a81374ad3234851c93f78a22023cc612dc0e148b816
                                                                                                                                              SHA512:c863e0534715e135e074606ccdbbbb8be91290837ea0d72d3b54dbf27edc72f5f1b64d454850e633dec47d121aa0949ab810df64dd01dba57243fad2573fb5e3
                                                                                                                                              SSDEEP:6144:/qY6irwP7YfmrYiJv7TAPAzdcZqf7DI/L:/nwPkiJvGAzdcUzs/
                                                                                                                                              TLSH:28645C1823EC8911E27F4B7994A1E274D375ED56A452E30F4ED06CAB3E32741FA11AB2
                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. ....................... ............@................................

                                                                                                                                              File Icon

                                                                                                                                              Icon Hash:4d8ea38d85a38e6d

                                                                                                                                              Static PE Info

                                                                                                                                              General

                                                                                                                                              Entrypoint:0x42b9ae
                                                                                                                                              Entrypoint Section:.text
                                                                                                                                              Digitally signed:false
                                                                                                                                              Imagebase:0x400000
                                                                                                                                              Subsystem:windows gui
                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                              Time Stamp:0xF0DBE6BE [Sun Jan 19 04:14:54 2098 UTC]
                                                                                                                                              TLS Callbacks:
                                                                                                                                              CLR (.Net) Version:
                                                                                                                                              OS Version Major:4
                                                                                                                                              OS Version Minor:0
                                                                                                                                              File Version Major:4
                                                                                                                                              File Version Minor:0
                                                                                                                                              Subsystem Version Major:4
                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                              Entrypoint Preview

                                                                                                                                              Instruction
                                                                                                                                              jmp dword ptr [00402000h]
                                                                                                                                              popad
                                                                                                                                              add byte ptr [ebp+00h], dh
                                                                                                                                              je 00007F4EED3848C2h
                                                                                                                                              outsd
                                                                                                                                              add byte ptr [esi+00h], ah
                                                                                                                                              imul eax, dword ptr [eax], 006C006Ch
                                                                                                                                              xor eax, 59007400h
                                                                                                                                              add byte ptr [edi+00h], dl
                                                                                                                                              push edx
                                                                                                                                              add byte ptr [ecx+00h], dh
                                                                                                                                              popad
                                                                                                                                              add byte ptr [edi+00h], dl
                                                                                                                                              push esi
                                                                                                                                              add byte ptr [edi+00h], ch
                                                                                                                                              popad
                                                                                                                                              add byte ptr [ebp+00h], ch
                                                                                                                                              push 61006800h
                                                                                                                                              add byte ptr [ebp+00h], ch
                                                                                                                                              dec edx
                                                                                                                                              add byte ptr [eax], bh
                                                                                                                                              add byte ptr [edi+00h], dl
                                                                                                                                              push edi
                                                                                                                                              add byte ptr [ecx], bh
                                                                                                                                              add byte ptr [ecx+00h], bh
                                                                                                                                              bound eax, dword ptr [eax]
                                                                                                                                              xor al, byte ptr [eax]
                                                                                                                                              insb
                                                                                                                                              add byte ptr [eax+00h], bl
                                                                                                                                              pop ecx
                                                                                                                                              add byte ptr [edi+00h], dl
                                                                                                                                              js 00007F4EED3848C2h
                                                                                                                                              jnc 00007F4EED3848C2h
                                                                                                                                              pop edx
                                                                                                                                              add byte ptr [eax+00h], bl
                                                                                                                                              push ecx
                                                                                                                                              add byte ptr [ebx+00h], cl
                                                                                                                                              popad
                                                                                                                                              add byte ptr [edi+00h], dl
                                                                                                                                              dec edx
                                                                                                                                              add byte ptr [ebp+00h], dh
                                                                                                                                              pop edx
                                                                                                                                              add byte ptr [edi+00h], dl
                                                                                                                                              jo 00007F4EED3848C2h
                                                                                                                                              imul eax, dword ptr [eax], 5Ah
                                                                                                                                              add byte ptr [ebp+00h], ch
                                                                                                                                              jo 00007F4EED3848C2h
                                                                                                                                              je 00007F4EED3848C2h
                                                                                                                                              bound eax, dword ptr [eax]
                                                                                                                                              push edi
                                                                                                                                              add byte ptr [eax+eax+77h], dh
                                                                                                                                              add byte ptr [ecx+00h], bl
                                                                                                                                              xor al, byte ptr [eax]
                                                                                                                                              xor eax, 63007300h
                                                                                                                                              add byte ptr [edi+00h], al
                                                                                                                                              push esi
                                                                                                                                              add byte ptr [ecx+00h], ch
                                                                                                                                              popad
                                                                                                                                              add byte ptr [edx], dh
                                                                                                                                              add byte ptr [eax+00h], bh
                                                                                                                                              je 00007F4EED3848C2h
                                                                                                                                              bound eax, dword ptr [eax]
                                                                                                                                              insd
                                                                                                                                              add byte ptr [eax+eax+76h], dh
                                                                                                                                              add byte ptr [edx+00h], bl
                                                                                                                                              push edi
                                                                                                                                              add byte ptr [ecx], bh
                                                                                                                                              add byte ptr [eax+00h], dh
                                                                                                                                              popad
                                                                                                                                              add byte ptr [edi+00h], al
                                                                                                                                              cmp dword ptr [eax], eax
                                                                                                                                              insd
                                                                                                                                              add byte ptr [edx+00h], bl
                                                                                                                                              push edi
                                                                                                                                              add byte ptr [esi+00h], cl
                                                                                                                                              cmp byte ptr [eax], al
                                                                                                                                              push esi
                                                                                                                                              add byte ptr [eax+00h], cl
                                                                                                                                              dec edx
                                                                                                                                              add byte ptr [esi+00h], dh
                                                                                                                                              bound eax, dword ptr [eax]
                                                                                                                                              insd
                                                                                                                                              add byte ptr [eax+00h], bh
                                                                                                                                              jo 00007F4EED3848C2h
                                                                                                                                              bound eax, dword ptr [eax]
                                                                                                                                              insd
                                                                                                                                              add byte ptr [ebx+00h], dh

                                                                                                                                              Data Directories

                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x2b95c0x4f.text
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x320000x1c9d4.rsrc
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x500000xc.reloc
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x2b9400x1c.text
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                              Sections

                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                              .text0x20000x2e9940x2ec0064c48738b5efa1379746874c338807d5False0.4696168950534759data6.205450376900145IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                              .rsrc0x320000x1c9d40x1cc005b3e8f48de8a05507379330b3cf331a7False0.23725373641304348data2.6063301335912525IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                              .reloc0x500000xc0x400f921873e0b7f3fe3399366376917ef43False0.025390625data0.05390218305374581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                              Resources

                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                              RT_ICON0x321a00x3d04PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9934058898847631
                                                                                                                                              RT_ICON0x35eb40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.09013072282030049
                                                                                                                                              RT_ICON0x466ec0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.13905290505432216
                                                                                                                                              RT_ICON0x4a9240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.17033195020746889
                                                                                                                                              RT_ICON0x4cedc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.2045028142589118
                                                                                                                                              RT_ICON0x4df940x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.24645390070921985
                                                                                                                                              RT_GROUP_ICON0x4e40c0x5adata0.7666666666666667
                                                                                                                                              RT_VERSION0x4e4780x35adata0.4417249417249417
                                                                                                                                              RT_MANIFEST0x4e7e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                              Imports

                                                                                                                                              DLLImport
                                                                                                                                              mscoree.dll_CorExeMain

                                                                                                                                              Network Behavior

                                                                                                                                              Snort IDS Alerts

                                                                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                              04/24/24-14:16:57.216658TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)497052630192.168.2.5103.113.70.99
                                                                                                                                              04/24/24-14:16:57.437568TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response263049705103.113.70.99192.168.2.5
                                                                                                                                              04/24/24-14:17:02.760215TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)263049705103.113.70.99192.168.2.5
                                                                                                                                              04/24/24-14:17:10.652826TCP2043231ET TROJAN Redline Stealer TCP CnC Activity497052630192.168.2.5103.113.70.99

                                                                                                                                              Network Port Distribution

                                                                                                                                              TCP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Apr 24, 2024 14:16:56.642678022 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:16:56.864166021 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:16:56.864314079 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:16:56.877101898 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:16:57.121447086 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:16:57.175466061 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:16:57.216658115 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:16:57.437567949 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:16:57.487936020 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:02.507900000 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:02.760215044 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:02.760293961 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:02.760333061 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:02.760370016 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:02.760382891 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:02.760426044 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:02.760448933 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:02.816025019 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:02.902872086 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:03.144881010 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:03.155782938 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:03.375900030 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:03.425365925 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:03.519285917 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:03.749469995 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:03.800389051 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:04.531815052 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:04.752477884 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:04.759120941 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:05.047174931 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:05.075680971 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:05.296405077 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:05.300853014 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:05.523272038 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:05.565994024 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:05.594597101 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:05.816301107 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:05.816370010 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:05.816508055 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:06.054338932 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:06.055478096 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:06.097297907 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:06.123410940 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:06.360517025 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:06.364080906 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:06.584964991 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:06.587476015 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:06.808805943 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:06.812591076 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:07.036533117 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:07.037595987 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:07.258241892 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:07.300369978 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:07.462117910 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:07.690697908 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:07.699655056 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:07.924818039 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:07.972304106 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.035521030 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.255737066 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.255754948 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.255845070 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.255955935 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.256185055 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.256211996 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.256270885 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.256273985 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.256297112 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.256329060 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.256364107 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.256486893 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.256495953 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.256571054 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.256750107 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.256817102 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.256901979 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.256964922 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.257049084 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.257111073 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.257177114 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.257216930 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.257235050 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.257277012 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.257296085 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.257350922 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.481842995 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.482079029 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.485065937 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.485377073 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.485753059 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.489314079 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.489407063 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.489902973 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.490051031 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.490263939 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.704976082 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.707767963 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.707815886 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.707978010 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.708167076 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.708215952 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.708265066 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.708304882 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.708849907 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.709327936 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.709340096 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.709348917 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.709561110 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.709602118 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.751817942 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.752291918 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.752393961 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.933485031 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.933511972 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.933522940 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.933536053 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.933546066 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.933881044 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.934287071 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.934380054 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.972280025 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.972357035 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.972464085 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.972765923 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.973536968 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.973584890 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.974267960 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.975070000 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.975102901 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.975548029 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.975575924 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.975629091 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:08.975961924 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:08.976056099 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:09.170037031 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.185667038 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.203141928 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.224812031 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.246633053 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.247035980 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:09.247159958 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:09.280594110 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.290545940 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.311988115 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.316138983 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.316157103 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.316168070 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.316401958 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.316452026 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.318347931 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.318499088 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.318989038 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.319320917 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:09.319402933 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:09.468286991 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.468306065 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.468364000 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.468467951 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.476485014 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.476502895 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.476538897 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.476974964 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.477041960 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.477591038 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:09.477704048 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:09.542772055 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.542790890 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.542805910 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.542948008 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.543334961 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.543770075 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.544138908 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:09.700589895 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.703257084 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.703269958 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.705284119 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.710665941 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.715135098 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.715153933 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.765780926 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.765799999 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.765809059 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.765819073 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.765829086 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.765839100 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.765847921 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.765857935 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.765867949 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.765877962 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.765887022 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.765903950 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.765913010 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.765921116 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.765930891 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.765939951 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.765949965 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.765959978 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.766025066 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.766267061 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.766719103 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.766731024 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.767862082 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:09.783575058 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:10.004381895 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:10.004417896 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:10.004489899 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:10.004530907 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:10.005167007 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:10.035614967 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:10.255752087 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:10.256532907 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:10.565016031 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:10.612889051 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:10.652826071 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:10.924966097 CEST263049705103.113.70.99192.168.2.5
                                                                                                                                              Apr 24, 2024 14:17:10.972230911 CEST497052630192.168.2.5103.113.70.99
                                                                                                                                              Apr 24, 2024 14:17:11.149837017 CEST497052630192.168.2.5103.113.70.99

                                                                                                                                              Statistics

                                                                                                                                              CPU Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              Memory Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              High Level Behavior Distribution

                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                              System Behavior

                                                                                                                                              General

                                                                                                                                              Target ID:0
                                                                                                                                              Start time:14:16:54
                                                                                                                                              Start date:24/04/2024
                                                                                                                                              Path:C:\Users\user\Desktop\o8uKhd6peZ.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Users\user\Desktop\o8uKhd6peZ.exe"
                                                                                                                                              Imagebase:0xd60000
                                                                                                                                              File size:312'804 bytes
                                                                                                                                              MD5 hash:E0F2B2303FD1C9E71CEE34F2DF8F8011
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1987821634.0000000000D62000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2156486982.0000000003158000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2156486982.0000000003512000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              Reputation:low
                                                                                                                                              Has exited:true

                                                                                                                                              Disassembly

                                                                                                                                              Reset < >

                                                                                                                                                Execution Graph

                                                                                                                                                Execution Coverage:9.2%
                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                Signature Coverage:0%
                                                                                                                                                Total number of Nodes:58
                                                                                                                                                Total number of Limit Nodes:11
                                                                                                                                                execution_graph 40654 7f4a530 40655 7f4a6bb 40654->40655 40656 7f4a556 40654->40656 40656->40655 40658 7f47648 40656->40658 40659 7f4a7b0 PostMessageW 40658->40659 40660 7f4a81c 40659->40660 40660->40656 40633 2ff4668 40634 2ff4684 40633->40634 40635 2ff4696 40634->40635 40637 2ff47a0 40634->40637 40638 2ff47c5 40637->40638 40642 2ff48a1 40638->40642 40646 2ff48b0 40638->40646 40644 2ff48b0 40642->40644 40643 2ff49b4 40643->40643 40644->40643 40650 2ff4248 40644->40650 40647 2ff48d7 40646->40647 40648 2ff49b4 40647->40648 40649 2ff4248 CreateActCtxA 40647->40649 40649->40648 40651 2ff5940 CreateActCtxA 40650->40651 40653 2ff5a03 40651->40653 40661 2ffd0b8 40662 2ffd0fe GetCurrentProcess 40661->40662 40664 2ffd149 40662->40664 40665 2ffd150 GetCurrentThread 40662->40665 40664->40665 40666 2ffd18d GetCurrentProcess 40665->40666 40667 2ffd186 40665->40667 40668 2ffd1c3 40666->40668 40667->40666 40669 2ffd1eb GetCurrentThreadId 40668->40669 40670 2ffd21c 40669->40670 40671 2ffad38 40675 2ffae30 40671->40675 40683 2ffae20 40671->40683 40672 2ffad47 40676 2ffae41 40675->40676 40677 2ffae64 40675->40677 40676->40677 40691 2ffb0c8 40676->40691 40695 2ffb0b8 40676->40695 40677->40672 40678 2ffb068 GetModuleHandleW 40680 2ffb095 40678->40680 40679 2ffae5c 40679->40677 40679->40678 40680->40672 40684 2ffae41 40683->40684 40685 2ffae64 40683->40685 40684->40685 40689 2ffb0c8 LoadLibraryExW 40684->40689 40690 2ffb0b8 LoadLibraryExW 40684->40690 40685->40672 40686 2ffb068 GetModuleHandleW 40688 2ffb095 40686->40688 40687 2ffae5c 40687->40685 40687->40686 40688->40672 40689->40687 40690->40687 40693 2ffb0dc 40691->40693 40692 2ffb101 40692->40679 40693->40692 40699 2ffa870 40693->40699 40696 2ffb0dc 40695->40696 40697 2ffb101 40696->40697 40698 2ffa870 LoadLibraryExW 40696->40698 40697->40679 40698->40697 40700 2ffb2a8 LoadLibraryExW 40699->40700 40702 2ffb321 40700->40702 40702->40692 40703 2ffd300 DuplicateHandle 40704 2ffd396 40703->40704

                                                                                                                                                Executed Functions

                                                                                                                                                Function 07F481C0 Relevance: 2.0, Strings: 1, Instructions: 752COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2171443078.0000000007F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7f40000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: @B/
                                                                                                                                                • API String ID: 0-3863299084
                                                                                                                                                • Opcode ID: e3865f930465d1d959a38b9dddcadf827744be7b1a82decadfc18d48055af4f6
                                                                                                                                                • Instruction ID: 1180fa65a4c3663c672824fc6c7a6353b1025883bff030bbf339141db6b026d7
                                                                                                                                                • Opcode Fuzzy Hash: e3865f930465d1d959a38b9dddcadf827744be7b1a82decadfc18d48055af4f6
                                                                                                                                                • Instruction Fuzzy Hash: 8B829AB4E41229CFDB64DF69C984BDDBBB2BB49340F1481EAD809A7250DB309E85CF54
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A3F50 Relevance: 1.8, Strings: 1, Instructions: 521COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: $jq
                                                                                                                                                • API String ID: 0-2886413773
                                                                                                                                                • Opcode ID: 07817fcf2e84d72ac18879b838c00d6e305b615eba5f4ba21cf375a1d85710b8
                                                                                                                                                • Instruction ID: cef5b63e544ec81d6ab8ccd0f9c50f370261b3cab5781136280103ebec6d56c3
                                                                                                                                                • Opcode Fuzzy Hash: 07817fcf2e84d72ac18879b838c00d6e305b615eba5f4ba21cf375a1d85710b8
                                                                                                                                                • Instruction Fuzzy Hash: A9125034F002158FCB54DF69C584A6EBBFABF88710B248569E906EB365DB71DC41CB90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 07F4B6B1 Relevance: .5, Instructions: 536COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2171443078.0000000007F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7f40000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 755a620052ae6510eaed8ea2c35525cedbcccc05bb46ee39196b434bb69b2c9e
                                                                                                                                                • Instruction ID: df391a564f993411ef758f207c3be1dd7774b4c67302eb092b9bcfddab3a6ca8
                                                                                                                                                • Opcode Fuzzy Hash: 755a620052ae6510eaed8ea2c35525cedbcccc05bb46ee39196b434bb69b2c9e
                                                                                                                                                • Instruction Fuzzy Hash: 2CF1EFF1B016048FD715DB75D950BAEBBF6AF89300F184469D246DB2A6CB35D801CB61
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 07F48F20 Relevance: .3, Instructions: 323COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2171443078.0000000007F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7f40000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 0ba2f075ce726c7076e184693cfda36462c6af2827653a1b5a772dbfb0061bf8
                                                                                                                                                • Instruction ID: 82b781491b4f1c7cbfdd8b2697cb132768f427c5b71738b515ded17b0f8743c7
                                                                                                                                                • Opcode Fuzzy Hash: 0ba2f075ce726c7076e184693cfda36462c6af2827653a1b5a772dbfb0061bf8
                                                                                                                                                • Instruction Fuzzy Hash: 50E1E2B4E01229CFDB64DF65C950BAEBBB2BF89300F5081AAD409B7294DB705E85CF50
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AA3E6 Relevance: .3, Instructions: 288COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 4184557ad65f6642eb2ba031e8f5914b13cedd294421ea66a272fd0ce8d12196
                                                                                                                                                • Instruction ID: 36ebe410c97c7427c1cc6af8ecf8bf8c7164fe59444eff23915a48f6ca5f71a2
                                                                                                                                                • Opcode Fuzzy Hash: 4184557ad65f6642eb2ba031e8f5914b13cedd294421ea66a272fd0ce8d12196
                                                                                                                                                • Instruction Fuzzy Hash: 4FD10670E01318CFCB18EFB5D954AADBBB2FF8A301F1081A9D50AAB255DB355986CF41
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 06990D80 Relevance: 20.6, Strings: 16, Instructions: 621COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 294 6990d80-6990dcb 299 6990efd-6990f10 294->299 300 6990dd1-6990dd3 294->300 304 6991006-6991011 299->304 305 6990f16-6990f25 299->305 301 6990dd6-6990de5 300->301 306 6990deb-6990e1d 301->306 307 6990e9d-6990ea1 301->307 308 6991019-6991022 304->308 314 6990f2b-6990f51 305->314 315 6990fd1-6990fd5 305->315 341 6990e1f-6990e24 306->341 342 6990e26-6990e2d 306->342 309 6990eb0 307->309 310 6990ea3-6990eae 307->310 312 6990eb5-6990eb8 309->312 310->312 312->308 319 6990ebe-6990ec2 312->319 343 6990f5a-6990f61 314->343 344 6990f53-6990f58 314->344 317 6990fe4 315->317 318 6990fd7-6990fe2 315->318 320 6990fe6-6990fe8 317->320 318->320 321 6990ed1 319->321 322 6990ec4-6990ecf 319->322 327 6991039-69910b5 320->327 328 6990fea-6990ff4 320->328 325 6990ed3-6990ed5 321->325 322->325 330 6990edb-6990ee5 325->330 331 6991025-6991032 325->331 376 6991189-699119c 327->376 377 69910bb-69910bd 327->377 336 6990ff7-6991000 328->336 345 6990ee8-6990ef2 330->345 331->327 336->304 336->305 347 6990e91-6990e9b 341->347 348 6990e2f-6990e50 342->348 349 6990e52-6990e76 342->349 351 6990f63-6990f84 343->351 352 6990f86-6990faa 343->352 350 6990fc5-6990fcf 344->350 345->301 353 6990ef8 345->353 347->345 348->347 367 6990e78-6990e7e 349->367 368 6990e8e 349->368 350->336 351->350 369 6990fac-6990fb2 352->369 370 6990fc2 352->370 353->308 373 6990e80 367->373 374 6990e82-6990e84 367->374 368->347 371 6990fb4 369->371 372 6990fb6-6990fb8 369->372 370->350 371->370 372->370 373->368 374->368 381 69911a2-69911b1 376->381 382 6991234-699123f 376->382 378 69910c0-69910cf 377->378 383 6991129-699112d 378->383 384 69910d1-69910fe 378->384 391 69911ff-6991203 381->391 392 69911b3-69911dc 381->392 385 6991247-6991250 382->385 386 699113c 383->386 387 699112f-699113a 383->387 410 6991104-6991106 384->410 390 6991141-6991144 386->390 387->390 390->385 396 699114a-699114e 390->396 394 6991212 391->394 395 6991205-6991210 391->395 414 69911de-69911e4 392->414 415 69911f4-69911fd 392->415 401 6991214-6991216 394->401 395->401 399 699115d 396->399 400 6991150-699115b 396->400 404 699115f-6991161 399->404 400->404 402 6991218-6991222 401->402 403 6991267-6991284 401->403 419 6991225-699122e 402->419 428 6991298-69912af 403->428 429 6991286-6991294 403->429 408 6991253-6991260 404->408 409 6991167-6991171 404->409 408->403 425 6991174-699117e 409->425 411 6991108-699110e 410->411 412 699111e-6991127 410->412 417 6991110 411->417 418 6991112-6991114 411->418 412->425 420 69911e8-69911ea 414->420 421 69911e6 414->421 415->419 417->412 418->412 419->381 419->382 420->415 421->415 425->378 430 6991184 425->430 434 69912c7-69912e9 428->434 435 69912b1-69912b7 428->435 431 69912c4-69912c5 429->431 432 6991296 429->432 430->385 431->434 432->428 440 69912ec-69912f0 434->440 436 69912b9 435->436 437 69912bb-69912bd 435->437 436->434 437->431 441 69912f9-69912fe 440->441 442 69912f2-69912f7 440->442 443 6991304-6991307 441->443 442->443 444 69914f8-6991500 443->444 445 699130d-6991322 443->445 445->440 447 6991324 445->447 448 6991498-69914b9 447->448 449 699132b-6991350 447->449 450 69913e0-6991405 447->450 454 69914bf-69914f3 448->454 462 6991352-6991354 449->462 463 6991356-699135a 449->463 460 699140b-699140f 450->460 461 6991407-6991409 450->461 454->440 469 6991411-699142e 460->469 470 6991430-6991453 460->470 468 699146d-6991493 461->468 464 69913b8-69913db 462->464 465 699137b-699139e 463->465 466 699135c-6991379 463->466 464->440 486 69913a0-69913a6 465->486 487 69913b6 465->487 466->464 468->440 469->468 484 699146b 470->484 485 6991455-699145b 470->485 484->468 488 699145d 485->488 489 699145f-6991461 485->489 490 69913a8 486->490 491 69913aa-69913ac 486->491 487->464 488->484 489->484 490->487 491->487
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166574861.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_6990000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: $jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq
                                                                                                                                                • API String ID: 0-2647192402
                                                                                                                                                • Opcode ID: 51a0e038389c39ea9df7c8e8ec34ec5e93f5ab2084ba3396e5a1b1e684e6dec4
                                                                                                                                                • Instruction ID: 4ca83cef2818e8a9ec277cd5635079bd279729d477f494bd4abeef9e5fc75d4b
                                                                                                                                                • Opcode Fuzzy Hash: 51a0e038389c39ea9df7c8e8ec34ec5e93f5ab2084ba3396e5a1b1e684e6dec4
                                                                                                                                                • Instruction Fuzzy Hash: 7932C030B042069FDF559B69C854A7EBBFBFF89200B148469E916D7BA2CB74DC01CB61
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 02FFD0A8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131threadCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 492 2ffd0a8-2ffd147 GetCurrentProcess 496 2ffd149-2ffd14f 492->496 497 2ffd150-2ffd184 GetCurrentThread 492->497 496->497 498 2ffd18d-2ffd1c1 GetCurrentProcess 497->498 499 2ffd186-2ffd18c 497->499 500 2ffd1ca-2ffd1e5 call 2ffd289 498->500 501 2ffd1c3-2ffd1c9 498->501 499->498 505 2ffd1eb-2ffd21a GetCurrentThreadId 500->505 501->500 506 2ffd21c-2ffd222 505->506 507 2ffd223-2ffd285 505->507 506->507
                                                                                                                                                APIs
                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 02FFD136
                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 02FFD173
                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 02FFD1B0
                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 02FFD209
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2156315086.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_2ff0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                                • String ID: x%p}
                                                                                                                                                • API String ID: 2063062207-2965546771
                                                                                                                                                • Opcode ID: 7c9410c88f2b211b4aa1143ac78a539dcb8bef4ea6c37c09a55cfeac307a5472
                                                                                                                                                • Instruction ID: d4cae65a16f2bc710ea321e5ad5b90cdea1c4664e38ee8dda0768b3064e1d329
                                                                                                                                                • Opcode Fuzzy Hash: 7c9410c88f2b211b4aa1143ac78a539dcb8bef4ea6c37c09a55cfeac307a5472
                                                                                                                                                • Instruction Fuzzy Hash: 0B5168B19013498FDB54DFA9D548B9EBFF1FF48314F20805AE109A73A0DB385944CB65
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 02FFD0B8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 514 2ffd0b8-2ffd147 GetCurrentProcess 518 2ffd149-2ffd14f 514->518 519 2ffd150-2ffd184 GetCurrentThread 514->519 518->519 520 2ffd18d-2ffd1c1 GetCurrentProcess 519->520 521 2ffd186-2ffd18c 519->521 522 2ffd1ca-2ffd1e5 call 2ffd289 520->522 523 2ffd1c3-2ffd1c9 520->523 521->520 527 2ffd1eb-2ffd21a GetCurrentThreadId 522->527 523->522 528 2ffd21c-2ffd222 527->528 529 2ffd223-2ffd285 527->529 528->529
                                                                                                                                                APIs
                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 02FFD136
                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 02FFD173
                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 02FFD1B0
                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 02FFD209
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2156315086.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_2ff0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                                • String ID: x%p}
                                                                                                                                                • API String ID: 2063062207-2965546771
                                                                                                                                                • Opcode ID: 1010ade93ed2c01fd2fbe3f66127ba00a99579606d33de1964bee8b1106eae98
                                                                                                                                                • Instruction ID: 83c7fd46b4cc2ff6bc6bb9129f44e5f27fb2d2868eece2186f134bf1febe7b09
                                                                                                                                                • Opcode Fuzzy Hash: 1010ade93ed2c01fd2fbe3f66127ba00a99579606d33de1964bee8b1106eae98
                                                                                                                                                • Instruction Fuzzy Hash: 635168B09013098FDB54DFAAD548B9EBBF1FF48314F208059E509A73A0DB389944CF65
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 06991584 Relevance: 7.8, Strings: 6, Instructions: 337COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 536 6991584 537 699158e 536->537 538 6991598-69915af 537->538 539 69915b5-69915b7 538->539 540 69915b9-69915bf 539->540 541 69915cf-69915f1 539->541 542 69915c1 540->542 543 69915c3-69915c5 540->543 546 6991638-699163f 541->546 542->541 543->541 547 6991571-6991580 546->547 548 6991645-6991747 546->548 551 69915f3-69915f7 547->551 552 6991582 547->552 553 69915f9-6991604 551->553 554 6991606 551->554 552->536 556 699160b-699160e 553->556 554->556 556->548 559 6991610-6991614 556->559 560 6991623 559->560 561 6991616-6991621 559->561 562 6991625-6991627 560->562 561->562 563 699174a-69917a7 562->563 564 699162d-6991637 562->564 572 69917a9-69917af 563->572 573 69917bf-69917e1 563->573 564->546 574 69917b1 572->574 575 69917b3-69917b5 572->575 578 69917e4-69917e8 573->578 574->573 575->573 579 69917ea-69917ef 578->579 580 69917f1-69917f6 578->580 581 69917fc-69917ff 579->581 580->581 582 6991abf-6991ac7 581->582 583 6991805-699181a 581->583 583->578 585 699181c 583->585 586 69918d8-699198b 585->586 587 6991990-69919bd 585->587 588 6991823-69918d3 585->588 589 6991a07-6991a2c 585->589 586->578 607 69919c3-69919cd 587->607 608 6991b36-6991b77 587->608 588->578 603 6991a2e-6991a30 589->603 604 6991a32-6991a36 589->604 609 6991a94-6991aba 603->609 610 6991a38-6991a55 604->610 611 6991a57-6991a7a 604->611 614 6991b00-6991b2f 607->614 615 69919d3-6991a02 607->615 609->578 610->609 631 6991a7c-6991a82 611->631 632 6991a92 611->632 614->608 615->578 634 6991a84 631->634 635 6991a86-6991a88 631->635 632->609 634->632 635->632
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166574861.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_6990000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: $jq$$jq$$jq$$jq$$jq$$jq
                                                                                                                                                • API String ID: 0-3356825164
                                                                                                                                                • Opcode ID: c14c0cd4cbea4a3e246a5177eef3304f2b4bb9508aa3aae991965d470b6ebe14
                                                                                                                                                • Instruction ID: 270142fd378d0b115db05cdababfed1dabd89a21930a2aec3e1d3db66a3f4686
                                                                                                                                                • Opcode Fuzzy Hash: c14c0cd4cbea4a3e246a5177eef3304f2b4bb9508aa3aae991965d470b6ebe14
                                                                                                                                                • Instruction Fuzzy Hash: 92C107707442429FDB449B68C994A6E7BAAFF86300F244869D902DB7E2CFB5DC05C7A1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 02FFAE30 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 207COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 708 2ffae30-2ffae3f 709 2ffae6b-2ffae6f 708->709 710 2ffae41-2ffae4e call 2ff9838 708->710 712 2ffae83-2ffaec4 709->712 713 2ffae71-2ffae7b 709->713 716 2ffae64 710->716 717 2ffae50 710->717 719 2ffaec6-2ffaece 712->719 720 2ffaed1-2ffaedf 712->720 713->712 716->709 767 2ffae56 call 2ffb0c8 717->767 768 2ffae56 call 2ffb0b8 717->768 719->720 721 2ffaf03-2ffaf05 720->721 722 2ffaee1-2ffaee6 720->722 727 2ffaf08-2ffaf0f 721->727 724 2ffaee8-2ffaeef call 2ffa814 722->724 725 2ffaef1 722->725 723 2ffae5c-2ffae5e 723->716 726 2ffafa0-2ffafb7 723->726 729 2ffaef3-2ffaf01 724->729 725->729 741 2ffafb9-2ffb018 726->741 730 2ffaf1c-2ffaf23 727->730 731 2ffaf11-2ffaf19 727->731 729->727 734 2ffaf25-2ffaf2d 730->734 735 2ffaf30-2ffaf39 call 2ffa824 730->735 731->730 734->735 739 2ffaf3b-2ffaf43 735->739 740 2ffaf46-2ffaf4b 735->740 739->740 742 2ffaf4d-2ffaf54 740->742 743 2ffaf69-2ffaf76 740->743 759 2ffb01a-2ffb01c 741->759 742->743 744 2ffaf56-2ffaf66 call 2ffa834 call 2ffa844 742->744 750 2ffaf99-2ffaf9f 743->750 751 2ffaf78-2ffaf96 743->751 744->743 751->750 760 2ffb01e-2ffb046 759->760 761 2ffb048-2ffb060 759->761 760->761 762 2ffb068-2ffb093 GetModuleHandleW 761->762 763 2ffb062-2ffb065 761->763 764 2ffb09c-2ffb0b0 762->764 765 2ffb095-2ffb09b 762->765 763->762 765->764 767->723 768->723
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 02FFB086
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2156315086.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_2ff0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HandleModule
                                                                                                                                                • String ID: x%p}
                                                                                                                                                • API String ID: 4139908857-2965546771
                                                                                                                                                • Opcode ID: b347564495a838ced338feac677f367c005731f794796aa61474798eb7fbf271
                                                                                                                                                • Instruction ID: 76fc904ea211050269c608b6ed122aeea5f33863aab8aa61ce7996b8ff2bb1a9
                                                                                                                                                • Opcode Fuzzy Hash: b347564495a838ced338feac677f367c005731f794796aa61474798eb7fbf271
                                                                                                                                                • Instruction Fuzzy Hash: 8E8157B0A00B058FD764DF29D54479ABBF1FF48344F00896ED68ADBA60D775E84ACB90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 02FF5935 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 769 2ff5935-2ff593c 770 2ff5944-2ff5a01 CreateActCtxA 769->770 772 2ff5a0a-2ff5a64 770->772 773 2ff5a03-2ff5a09 770->773 780 2ff5a66-2ff5a69 772->780 781 2ff5a73-2ff5a77 772->781 773->772 780->781 782 2ff5a79-2ff5a85 781->782 783 2ff5a88-2ff5ab8 781->783 782->783 787 2ff5a6a 783->787 788 2ff5aba-2ff5b3c 783->788 787->781
                                                                                                                                                APIs
                                                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 02FF59F1
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2156315086.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_2ff0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Create
                                                                                                                                                • String ID: x%p}
                                                                                                                                                • API String ID: 2289755597-2965546771
                                                                                                                                                • Opcode ID: 7b0cd55047e88f2377e989e88f67af5a929540c227a658f630fee8287f178a10
                                                                                                                                                • Instruction ID: ea6ca0a9543ef32d2700421a1731a7d779d440c7ef1e94a912d3d775d285777c
                                                                                                                                                • Opcode Fuzzy Hash: 7b0cd55047e88f2377e989e88f67af5a929540c227a658f630fee8287f178a10
                                                                                                                                                • Instruction Fuzzy Hash: DB4101B1C00719CEDB64DFA9C884B9DBBF5FF49304F20806AD508AB264DB75594ACFA0
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 02FF4248 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 790 2ff4248-2ff5a01 CreateActCtxA 793 2ff5a0a-2ff5a64 790->793 794 2ff5a03-2ff5a09 790->794 801 2ff5a66-2ff5a69 793->801 802 2ff5a73-2ff5a77 793->802 794->793 801->802 803 2ff5a79-2ff5a85 802->803 804 2ff5a88-2ff5ab8 802->804 803->804 808 2ff5a6a 804->808 809 2ff5aba-2ff5b3c 804->809 808->802
                                                                                                                                                APIs
                                                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 02FF59F1
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2156315086.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_2ff0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Create
                                                                                                                                                • String ID: x%p}
                                                                                                                                                • API String ID: 2289755597-2965546771
                                                                                                                                                • Opcode ID: e1243ede5bb0a105c01b144e6756a295bc84b589bb2697d7cf6ede6ed9d15d4a
                                                                                                                                                • Instruction ID: e26474837a3beef0d7a3bbc1248775508f92add031c7c359ccb26eecd4f73035
                                                                                                                                                • Opcode Fuzzy Hash: e1243ede5bb0a105c01b144e6756a295bc84b589bb2697d7cf6ede6ed9d15d4a
                                                                                                                                                • Instruction Fuzzy Hash: 3E41FFB1D0071DCADB24DFA9C884B9DBBF5FF49304F60806AD508AB264DB75694ACF90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 02FFA858 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 79libraryCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 811 2ffa858-2ffa860 813 2ffa88c-2ffa8c0 811->813 814 2ffa862-2ffb2e8 811->814 818 2ffb2ea-2ffb2ed 814->818 819 2ffb2f0-2ffb31f LoadLibraryExW 814->819 818->819 820 2ffb328-2ffb345 819->820 821 2ffb321-2ffb327 819->821 821->820
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02FFB101,00000800,00000000,00000000), ref: 02FFB312
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2156315086.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_2ff0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LibraryLoad
                                                                                                                                                • String ID: x%p}
                                                                                                                                                • API String ID: 1029625771-2965546771
                                                                                                                                                • Opcode ID: c7b6b73367060da3ee42fe75a4218461e4cca21615e33b70558ba5b67ebef1d6
                                                                                                                                                • Instruction ID: 92c1f726c95444f227fcb7ab0ecfdccb887791fa5e8dc49e75e69b5d27d28637
                                                                                                                                                • Opcode Fuzzy Hash: c7b6b73367060da3ee42fe75a4218461e4cca21615e33b70558ba5b67ebef1d6
                                                                                                                                                • Instruction Fuzzy Hash: DC319AB68043888FDB11DFAED854ADEBFF4EF49314F0480AAC644A7261C3789545CFA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 02FFD2F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 824 2ffd2f9-2ffd394 DuplicateHandle 825 2ffd39d-2ffd3ba 824->825 826 2ffd396-2ffd39c 824->826 826->825
                                                                                                                                                APIs
                                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FFD387
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2156315086.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_2ff0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                                • String ID: x%p}
                                                                                                                                                • API String ID: 3793708945-2965546771
                                                                                                                                                • Opcode ID: 02dfea7b5b09e4207c2d5eb3cf968a96cab8fe47464ca6033d073d57897c4381
                                                                                                                                                • Instruction ID: dac1ca2495888909c86f8c0c55fce310bcc136d63b43fc7f4d2271558bf8cca7
                                                                                                                                                • Opcode Fuzzy Hash: 02dfea7b5b09e4207c2d5eb3cf968a96cab8fe47464ca6033d073d57897c4381
                                                                                                                                                • Instruction Fuzzy Hash: 3E21E3B5D002089FDB10CF9AD585AEEBBF5EF48314F14841AE918A3250D378A940CFA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 02FFD300 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 829 2ffd300-2ffd394 DuplicateHandle 830 2ffd39d-2ffd3ba 829->830 831 2ffd396-2ffd39c 829->831 831->830
                                                                                                                                                APIs
                                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FFD387
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2156315086.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_2ff0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                                • String ID: x%p}
                                                                                                                                                • API String ID: 3793708945-2965546771
                                                                                                                                                • Opcode ID: 5a241f993d8f7580a6688f85dde1d1a546e1b7f6d9cd56234c38adf77f8405f7
                                                                                                                                                • Instruction ID: d39c619afb91cde93f6ad74d8478309145446e7b1c620bf1d5c55a0874c3a23e
                                                                                                                                                • Opcode Fuzzy Hash: 5a241f993d8f7580a6688f85dde1d1a546e1b7f6d9cd56234c38adf77f8405f7
                                                                                                                                                • Instruction Fuzzy Hash: 7B21E4B5D002089FDB10CF9AD584ADEBBF9FF48310F14801AE918A3350C378A940CFA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 02FFA870 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 834 2ffa870-2ffb2e8 836 2ffb2ea-2ffb2ed 834->836 837 2ffb2f0-2ffb31f LoadLibraryExW 834->837 836->837 838 2ffb328-2ffb345 837->838 839 2ffb321-2ffb327 837->839 839->838
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02FFB101,00000800,00000000,00000000), ref: 02FFB312
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2156315086.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_2ff0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LibraryLoad
                                                                                                                                                • String ID: x%p}
                                                                                                                                                • API String ID: 1029625771-2965546771
                                                                                                                                                • Opcode ID: ccd5685c297af4f750a4d3aa8c0760e93e7a52f227162d818113e2925f421d00
                                                                                                                                                • Instruction ID: 7e794525aa0e8ce3cfcb831ff42bce8c590692642d521dc2d2838ee0dde1c52e
                                                                                                                                                • Opcode Fuzzy Hash: ccd5685c297af4f750a4d3aa8c0760e93e7a52f227162d818113e2925f421d00
                                                                                                                                                • Instruction Fuzzy Hash: 5E1114B6D003498FCB10DF9AC444A9EFBF8EF48314F10846ED619A7210C379A544CFA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 02FFB2A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 842 2ffb2a0-2ffb2e8 843 2ffb2ea-2ffb2ed 842->843 844 2ffb2f0-2ffb31f LoadLibraryExW 842->844 843->844 845 2ffb328-2ffb345 844->845 846 2ffb321-2ffb327 844->846 846->845
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02FFB101,00000800,00000000,00000000), ref: 02FFB312
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2156315086.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_2ff0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LibraryLoad
                                                                                                                                                • String ID: x%p}
                                                                                                                                                • API String ID: 1029625771-2965546771
                                                                                                                                                • Opcode ID: abc57d1c03c658a967d684f0e85b25f9ae5dfc3ccbd4df10eeff9ed79de70274
                                                                                                                                                • Instruction ID: d789f16008b0c2d3232046315d0fdd990e03ab4b8f3d6f7e1ab913d1b652fa82
                                                                                                                                                • Opcode Fuzzy Hash: abc57d1c03c658a967d684f0e85b25f9ae5dfc3ccbd4df10eeff9ed79de70274
                                                                                                                                                • Instruction Fuzzy Hash: D51112B6D003488FCB10DFAAC844ADEFBF4EF48314F10846AD929A7210C379A545CFA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 07F4A7A8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 07F4A80D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2171443078.0000000007F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7f40000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MessagePost
                                                                                                                                                • String ID: x%p}
                                                                                                                                                • API String ID: 410705778-2965546771
                                                                                                                                                • Opcode ID: a61d594331bb2f0e5fa452e18ec730d9a0848742fee8511d06cf644980c72254
                                                                                                                                                • Instruction ID: 209992832ed331a4aa844b78eb0ea845122ee6a8c4fc0a3fba6ef69da4ddbd6a
                                                                                                                                                • Opcode Fuzzy Hash: a61d594331bb2f0e5fa452e18ec730d9a0848742fee8511d06cf644980c72254
                                                                                                                                                • Instruction Fuzzy Hash: BC1125B68002499FCB10DF9AD484BDEBFF8FB49320F14841AD518A3240C379A984CFA1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 07F47648 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 07F4A80D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2171443078.0000000007F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7f40000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MessagePost
                                                                                                                                                • String ID: x%p}
                                                                                                                                                • API String ID: 410705778-2965546771
                                                                                                                                                • Opcode ID: 697e36b7ea685dc1aed7498a83661e98f5c26fd4f5399cd48d30aaa7ec418df4
                                                                                                                                                • Instruction ID: 5a1f7c2dbb7b172aed297423e277c32e0ee3761cd43db104f36d31da12a164f2
                                                                                                                                                • Opcode Fuzzy Hash: 697e36b7ea685dc1aed7498a83661e98f5c26fd4f5399cd48d30aaa7ec418df4
                                                                                                                                                • Instruction Fuzzy Hash: 6111F5B68003499FDB10DF9AD489BDEBFF8FB48320F148459E918A7241C379A944CFA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 02FFB020 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 02FFB086
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2156315086.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_2ff0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HandleModule
                                                                                                                                                • String ID: x%p}
                                                                                                                                                • API String ID: 4139908857-2965546771
                                                                                                                                                • Opcode ID: 6c4c019caa6288de8e85f264fc8d8df9baf5e9bff1ac38708f4d0a500a4f129c
                                                                                                                                                • Instruction ID: cecb6e1ccdb7b9c46c0befacd8958495ebeddcb31bebe3f708d24ca6f2f96f7d
                                                                                                                                                • Opcode Fuzzy Hash: 6c4c019caa6288de8e85f264fc8d8df9baf5e9bff1ac38708f4d0a500a4f129c
                                                                                                                                                • Instruction Fuzzy Hash: B7110FB6C003498FCB20DF9AC444A9EFBF4AF89624F10845AD528B7610C379A545CFA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A7D58 Relevance: 2.6, Strings: 2, Instructions: 147COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: x%p}$x%p}
                                                                                                                                                • API String ID: 0-3807848110
                                                                                                                                                • Opcode ID: 2ba8a6f376c816c76bf8f078d40c539dd7cd8d5754abd401d9950afeb7cfedfe
                                                                                                                                                • Instruction ID: c589078c67ac50f8f5a0636fe37b2006130ed23e626d7c385d164256ef8dccd2
                                                                                                                                                • Opcode Fuzzy Hash: 2ba8a6f376c816c76bf8f078d40c539dd7cd8d5754abd401d9950afeb7cfedfe
                                                                                                                                                • Instruction Fuzzy Hash: 6B512675E003189FDB54CFE9D885BEEBBF6AF88310F248429D415AB694DB749942CF80
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A7D4C Relevance: 2.6, Strings: 2, Instructions: 125COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: x%p}$x%p}
                                                                                                                                                • API String ID: 0-3807848110
                                                                                                                                                • Opcode ID: fe90851d927acadeef23113484ad339991813dff012646794433d97d40139172
                                                                                                                                                • Instruction ID: ae23781ceadf3c550430b780448a7e2c5f312801dba31272c38061c010ac270b
                                                                                                                                                • Opcode Fuzzy Hash: fe90851d927acadeef23113484ad339991813dff012646794433d97d40139172
                                                                                                                                                • Instruction Fuzzy Hash: FE5135B5E003088FDB54CFE9C8867EDBBF5AF48304F24852AD415AB6A4DB749942CF84
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A59D8 Relevance: 1.5, Strings: 1, Instructions: 288COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: d
                                                                                                                                                • API String ID: 0-2564639436
                                                                                                                                                • Opcode ID: 29ea1a7aa4fad48ec68c1105bf494e9b529a4de0420351806e4909d53c3bfb54
                                                                                                                                                • Instruction ID: a1a8c2f985ef7b99f136d5736121fd8d6fd60e948e3f14be7d69841037de1253
                                                                                                                                                • Opcode Fuzzy Hash: 29ea1a7aa4fad48ec68c1105bf494e9b529a4de0420351806e4909d53c3bfb54
                                                                                                                                                • Instruction Fuzzy Hash: 64C13834700702CFCB64CF19C58096ABBF2FF89310B66CA99D45A9BA65D730F946CB90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 06991BA0 Relevance: 1.4, Instructions: 1446COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166574861.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_6990000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d29b24fc686721c0c1d3dcc18ec33a88e75967a6bdae51490c475404c491d578
                                                                                                                                                • Instruction ID: 99a80015c64ccb96d86583f100c876db29b848f2eb8f8e46385b53163b6ba849
                                                                                                                                                • Opcode Fuzzy Hash: d29b24fc686721c0c1d3dcc18ec33a88e75967a6bdae51490c475404c491d578
                                                                                                                                                • Instruction Fuzzy Hash: BEC28E70A501189FCB14DF68C994FADBBB6FF88700F108099E60AAB7A1DF719E45CB51
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A3721 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: (nq
                                                                                                                                                • API String ID: 0-2756854522
                                                                                                                                                • Opcode ID: 3d930386c94e767edd0688fba61296646d39ac03860f6195c7a71a0354743dad
                                                                                                                                                • Instruction ID: a8d7a608822d1e230b04b2b548e4e8c93fc7233efc61bfdf5d08c9db0abf70a7
                                                                                                                                                • Opcode Fuzzy Hash: 3d930386c94e767edd0688fba61296646d39ac03860f6195c7a71a0354743dad
                                                                                                                                                • Instruction Fuzzy Hash: 0E417935A006458FCB54CF18C484A6AFBF6FF89324B258A59D86ADBB51CB30E841CB94
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A3DE0 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'jq
                                                                                                                                                • API String ID: 0-3676250632
                                                                                                                                                • Opcode ID: 11a56da55c29896a65ee7521c58c5e8263ef3cf7d5aac7a1082cbabd2c3d18aa
                                                                                                                                                • Instruction ID: 989d542073887346efe7ed03ab5ac7d61244c6f4e01c160bad78f9ab9df4304c
                                                                                                                                                • Opcode Fuzzy Hash: 11a56da55c29896a65ee7521c58c5e8263ef3cf7d5aac7a1082cbabd2c3d18aa
                                                                                                                                                • Instruction Fuzzy Hash: 2A313131B443508FC719A738A85066EBBEADFC6320B1445AEE849CB390CE39EC07C791
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A84D8 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'jq
                                                                                                                                                • API String ID: 0-3676250632
                                                                                                                                                • Opcode ID: 9f2957ed50896b9f176c06172b41acc6074af7a2896b6dd6f3f5194230c2d854
                                                                                                                                                • Instruction ID: badfe12909a0145cc28574f41a9d9e5469e1948c7b817599697c36ff19046c65
                                                                                                                                                • Opcode Fuzzy Hash: 9f2957ed50896b9f176c06172b41acc6074af7a2896b6dd6f3f5194230c2d854
                                                                                                                                                • Instruction Fuzzy Hash: 0C3171317102148BDB08AB78A5945AEB7E7EFC8210B504439D916DB3A4EE39DE0687E1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A87A0 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: x%p}
                                                                                                                                                • API String ID: 0-2965546771
                                                                                                                                                • Opcode ID: 57fe0580adae12d798e7e0766cf12ec5b57474ccdfe5e452feeb19992df25e53
                                                                                                                                                • Instruction ID: 4c93ee3912426ed0e95e5a016fbf833b396937fe845ca8dda3e43cb61cafc04e
                                                                                                                                                • Opcode Fuzzy Hash: 57fe0580adae12d798e7e0766cf12ec5b57474ccdfe5e452feeb19992df25e53
                                                                                                                                                • Instruction Fuzzy Hash: EF4102B1D012089FDB54DFAAD944ADEFBF6AF88310F20802AD415B7254DB35A945CF90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A84C8 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'jq
                                                                                                                                                • API String ID: 0-3676250632
                                                                                                                                                • Opcode ID: 3d18bc8b81de1d5e7d610f68c030e392a7fed62befd8c7bb1bd3a0b04282b97a
                                                                                                                                                • Instruction ID: 0f054fe04598a354948b2654f9405b50f5631867f8cb2102f19c8021e05cffd1
                                                                                                                                                • Opcode Fuzzy Hash: 3d18bc8b81de1d5e7d610f68c030e392a7fed62befd8c7bb1bd3a0b04282b97a
                                                                                                                                                • Instruction Fuzzy Hash: 7C218D30B102058FDB09BB7895A467E7AE3AFC8201B10487DD916DB3A5EE38DE0687D1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A8A98 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: x%p}
                                                                                                                                                • API String ID: 0-2965546771
                                                                                                                                                • Opcode ID: ca6811c22d368fa6360392cc80b98f85adadf3b41aefb008bcd5c43a5c64d97e
                                                                                                                                                • Instruction ID: bb62eeb825e3acc184949cece88e4bc647ab8cfdd009732c7e4ab541c85d5725
                                                                                                                                                • Opcode Fuzzy Hash: ca6811c22d368fa6360392cc80b98f85adadf3b41aefb008bcd5c43a5c64d97e
                                                                                                                                                • Instruction Fuzzy Hash: CD3122B1D01318DFCB14DFA9D994ADEBBF9EF48310F24852AE409B7240CB74A946CB90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A8797 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: x%p}
                                                                                                                                                • API String ID: 0-2965546771
                                                                                                                                                • Opcode ID: ae58da9692fb8e00a306b9993be04a42bc49476dc7ed21fcbd60454928de569c
                                                                                                                                                • Instruction ID: f3ad341008e80447113747e8c796882770d3d03bc26f5019abe2869f362c40c0
                                                                                                                                                • Opcode Fuzzy Hash: ae58da9692fb8e00a306b9993be04a42bc49476dc7ed21fcbd60454928de569c
                                                                                                                                                • Instruction Fuzzy Hash: 763102B1D012489FDB54DFAACA846DEFFF6AF48300F24802AD415B7250DB359945CF90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A8A8C Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: x%p}
                                                                                                                                                • API String ID: 0-2965546771
                                                                                                                                                • Opcode ID: ea9dbe7a4706a60bdd7e52cc61e37a3caab08dfb1abe336c8b437ed97166a91f
                                                                                                                                                • Instruction ID: e0891dad63afe3f52e705fad46d1e6aeb236c58916e1b22ae3415d14e21db991
                                                                                                                                                • Opcode Fuzzy Hash: ea9dbe7a4706a60bdd7e52cc61e37a3caab08dfb1abe336c8b437ed97166a91f
                                                                                                                                                • Instruction Fuzzy Hash: BB2124B0D01348DFDB14CFA9C995B9EBFF9AF08300F24852AE405B7290D7749945CB94
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AB361 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'jq
                                                                                                                                                • API String ID: 0-3676250632
                                                                                                                                                • Opcode ID: a9326c7d695a32a543b54b817cf0e1555b86c225d7bd86f6dbecdbfcb19c40a3
                                                                                                                                                • Instruction ID: 959d38c582b517dc17c831bb10c69a9639f6dfe524d41cd85544c6d8008a7a81
                                                                                                                                                • Opcode Fuzzy Hash: a9326c7d695a32a543b54b817cf0e1555b86c225d7bd86f6dbecdbfcb19c40a3
                                                                                                                                                • Instruction Fuzzy Hash: 33016D34912309EFCB08EFB9E9448ADBFB6FF84200B1085B9E905A7355DB385E45CB95
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A3EC8 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'jq
                                                                                                                                                • API String ID: 0-3676250632
                                                                                                                                                • Opcode ID: eca7283dc1d92ed6108309a797e0705a6cb6cb51161a2cd9180d65bc61a02389
                                                                                                                                                • Instruction ID: 8d53bf3fbbdf5a6db92abf1e1620a40f4f4ce893842fc80966e8c99dc44c1756
                                                                                                                                                • Opcode Fuzzy Hash: eca7283dc1d92ed6108309a797e0705a6cb6cb51161a2cd9180d65bc61a02389
                                                                                                                                                • Instruction Fuzzy Hash: 1BF090313806058FC609EB29E85096E77EFEFC92503508939D94A9B764EF74ED0A87E1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AB368 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'jq
                                                                                                                                                • API String ID: 0-3676250632
                                                                                                                                                • Opcode ID: 509c416f0d8f706473f57de61e25a7b094943c79888abcce6bb90be83725e881
                                                                                                                                                • Instruction ID: 3b291f3c356f66a720c8eb3a0b2f03c8c530f396c5113f6bcfbae4a9ec696a2f
                                                                                                                                                • Opcode Fuzzy Hash: 509c416f0d8f706473f57de61e25a7b094943c79888abcce6bb90be83725e881
                                                                                                                                                • Instruction Fuzzy Hash: 6AF08730A12209EFCB08EFB8E94489CBBB6FF44200B1081B9E906A7355DB385E04CB44
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0699480F Relevance: .8, Instructions: 752COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166574861.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_6990000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 5a5c14549b624ef64d5ba761bb4a2aca0c13744ee2f6a0e4bfe9e8f908a7a59f
                                                                                                                                                • Instruction ID: 22f172fb62c7a8704d37226c5f7ce81c593dc3ff126c32dbde6e75a0e6417721
                                                                                                                                                • Opcode Fuzzy Hash: 5a5c14549b624ef64d5ba761bb4a2aca0c13744ee2f6a0e4bfe9e8f908a7a59f
                                                                                                                                                • Instruction Fuzzy Hash: 58129174B042049FCB45DF68C994D6EBBFAEF89700B15849AE505DB7A2CB31DC06CBA1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069900D8 Relevance: .7, Instructions: 676COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166574861.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_6990000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 8eb98f745a27054434e1d8c0bf064620b02d8fa88af1b6aed7859fdb55083414
                                                                                                                                                • Instruction ID: dcf3e0ebf0c4e950a05879733ac1c1348eeebca5cb78f95853215a6af6aea9e8
                                                                                                                                                • Opcode Fuzzy Hash: 8eb98f745a27054434e1d8c0bf064620b02d8fa88af1b6aed7859fdb55083414
                                                                                                                                                • Instruction Fuzzy Hash: 7E42AF307416188FCB259F68D554A2EBBB6FFC6300B414A5CD903AB7A4CF79ED098B91
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 06993838 Relevance: .6, Instructions: 638COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166574861.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_6990000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 35061a6b467a06b206b3a7beb91bd6bef46ebff656ec24ba7a8878e06a9a4596
                                                                                                                                                • Instruction ID: 86a41e88577565c745360a6e3a63b328242c52103e166149995bc9cbfaacf46c
                                                                                                                                                • Opcode Fuzzy Hash: 35061a6b467a06b206b3a7beb91bd6bef46ebff656ec24ba7a8878e06a9a4596
                                                                                                                                                • Instruction Fuzzy Hash: 20421674B402149FCB44CF69C994EAABBF6EF88704F108099E506EB7A5DA71ED41CB60
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A48B8 Relevance: .6, Instructions: 590COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 608ac484d3426a443e53dfb537756d8f0528fcc8cff55304bbe0729c84891ea2
                                                                                                                                                • Instruction ID: ecd5cd07e61e85bf57e8c2650f628be91b76aecdd91fd276a64c7eeb96aa8559
                                                                                                                                                • Opcode Fuzzy Hash: 608ac484d3426a443e53dfb537756d8f0528fcc8cff55304bbe0729c84891ea2
                                                                                                                                                • Instruction Fuzzy Hash: F0324C347006018FDB54DF39C588A6ABBF6FF89700B2584A9E906CB765DB74EC45CB90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 06992070 Relevance: .6, Instructions: 572COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166574861.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_6990000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 946661b91a11e5855bd917fa74ea81805b790982c205f0ff58015a8f60e54402
                                                                                                                                                • Instruction ID: 10bb0c92d4e4c015ad41071049da16a4ea94b4bda84002562dd058d495371346
                                                                                                                                                • Opcode Fuzzy Hash: 946661b91a11e5855bd917fa74ea81805b790982c205f0ff58015a8f60e54402
                                                                                                                                                • Instruction Fuzzy Hash: BF22D270B505149FCB149B28C995EAE77B6FFC8700F208189EA069B7A5CF71ED41CBA1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069900B9 Relevance: .3, Instructions: 340COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166574861.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_6990000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d3848eaf4076b32d50123aa9d6d18d6598a4247817c6b812b98d019b8c723711
                                                                                                                                                • Instruction ID: 0bb8ae57eb2000c4d5a723dfab0be19a7c090e33e8a933e7ae53031d69adcbb0
                                                                                                                                                • Opcode Fuzzy Hash: d3848eaf4076b32d50123aa9d6d18d6598a4247817c6b812b98d019b8c723711
                                                                                                                                                • Instruction Fuzzy Hash: B0C19530B002049FDF448B68C999B697BBAFF89704F104469EA16DB7A1CFB5DC45CBA1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A48A8 Relevance: .3, Instructions: 274COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 544f19fe10da1d769ee127ff1226f3bab3c054ecfaaefc37d97fe9529e31afb4
                                                                                                                                                • Instruction ID: b1daebf9173d6abc202da470a3b79f7b9beb683727e698a4dc8d58695e877be2
                                                                                                                                                • Opcode Fuzzy Hash: 544f19fe10da1d769ee127ff1226f3bab3c054ecfaaefc37d97fe9529e31afb4
                                                                                                                                                • Instruction Fuzzy Hash: 0AB13734B006058FCB44DF39D988A6ABBFABF89704B2544A8E546DB771DB74EC05CB90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A59C8 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: f687e40a2432f775b93f6acfb90d45bf995a96081dbd960df241de1131a460c6
                                                                                                                                                • Instruction ID: 118c25b0a5e036b29be831a62132ed3164e36cd467e38e547c8143404e3fdfb2
                                                                                                                                                • Opcode Fuzzy Hash: f687e40a2432f775b93f6acfb90d45bf995a96081dbd960df241de1131a460c6
                                                                                                                                                • Instruction Fuzzy Hash: FA514674B00206CFCB50CF58C984A6ABBF6FF88310B668559E959DB665D730EC05CB90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069934D8 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166574861.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_6990000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 2caf72121faf52850200b12f47567fdc371a4d2d57240c3e7e35b955e75e73ca
                                                                                                                                                • Instruction ID: 3ceed3f5146d9031cac06f0eaa71781b59a108ad08fea2217c14a16d3b917880
                                                                                                                                                • Opcode Fuzzy Hash: 2caf72121faf52850200b12f47567fdc371a4d2d57240c3e7e35b955e75e73ca
                                                                                                                                                • Instruction Fuzzy Hash: 86514635B506199FCB44CF69C88499ABBF6FF8D314B118069E909EB3A1DB31EC05CB60
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 06993688 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166574861.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_6990000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: bc5281694358909fac0a1b1f681d302c8a536ca6e30aa4b2170d0b83910644d1
                                                                                                                                                • Instruction ID: 72b35eb74b2353341fff48283d01d1d1534696b05e1679a8ac93a91ce742666d
                                                                                                                                                • Opcode Fuzzy Hash: bc5281694358909fac0a1b1f681d302c8a536ca6e30aa4b2170d0b83910644d1
                                                                                                                                                • Instruction Fuzzy Hash: 57513835B506199FCB44CF69C984DAEBBF6FF88310B158069E905AB3A5DB31EC05CB60
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A5579 Relevance: .1, Instructions: 99COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 224222f072024985a209105745df984ee8c225ba15f4c12020164ce4a6e3d964
                                                                                                                                                • Instruction ID: c3ee818f674699f1857bac2926cea64f01e8af8eaa9297d3f52720313178177b
                                                                                                                                                • Opcode Fuzzy Hash: 224222f072024985a209105745df984ee8c225ba15f4c12020164ce4a6e3d964
                                                                                                                                                • Instruction Fuzzy Hash: 0A315634B003109FCB45DF38D888A6ABBBABF89200B148569ED05CB3A5DB31ED45CB90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A5588 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: e1cc2843bb8e7526688113ca3b5b0820577393c2554e1fba80670c1cc3130c09
                                                                                                                                                • Instruction ID: 08e9f0a7b0b57fa80acbe37ca8839aeeece5ad13e2befb52879805471c700741
                                                                                                                                                • Opcode Fuzzy Hash: e1cc2843bb8e7526688113ca3b5b0820577393c2554e1fba80670c1cc3130c09
                                                                                                                                                • Instruction Fuzzy Hash: 25314274B00310AFCB45DF38D88896EBBBABF89200B108469ED06CB365DB31ED45CB90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 02E6D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2156141685.0000000002E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E6D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_2e6d000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: db0ef7e7eb12dfc894ed38f5e80927b1fe9bb074496c3d574df6ace3b0427f33
                                                                                                                                                • Instruction ID: 771caddddb851e31dedd48af8fa5f51516b28413a8b76b95111d43e98c2336b0
                                                                                                                                                • Opcode Fuzzy Hash: db0ef7e7eb12dfc894ed38f5e80927b1fe9bb074496c3d574df6ace3b0427f33
                                                                                                                                                • Instruction Fuzzy Hash: B5212571684200DFDB54DF24D988B26BF66FB88318F60C569D80A4B256C33BD407CAA1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 02E6D005 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2156141685.0000000002E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E6D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_2e6d000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 265d605453a3f6189863f46c0d746f2b22d757680d58bdc97d3281837771ebd5
                                                                                                                                                • Instruction ID: 01160e19b0a8f3daaaeba594127378bf0eb2417e2c7d6577993bf4a7ab83b11b
                                                                                                                                                • Opcode Fuzzy Hash: 265d605453a3f6189863f46c0d746f2b22d757680d58bdc97d3281837771ebd5
                                                                                                                                                • Instruction Fuzzy Hash: 262165755493C08FD712CF24D994715BF72EB46218F28C5DAD8498F6A7C33A940ACB62
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A6E90 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c88d8176855c0fd2db07e38f31d5a433bfaf41a83842ba10dddd4561062cc772
                                                                                                                                                • Instruction ID: dc1af86953c751c6c679a30ea0dd2b17c30f409d623da3d46eba07305e6ff9f4
                                                                                                                                                • Opcode Fuzzy Hash: c88d8176855c0fd2db07e38f31d5a433bfaf41a83842ba10dddd4561062cc772
                                                                                                                                                • Instruction Fuzzy Hash: C0110C333042996FCB514E5D9C50AFF3FEDDB89251F144126FE45C6290C824CC1597E0
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A5698 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d97170a57ce61a26bbc891699353bdf8ad3ce870fd2453fba8837e40bf950f0c
                                                                                                                                                • Instruction ID: 49537e3fb61f0d86e81cf7d04b50018a04aae3775facc3fdab1d01f02100ad9a
                                                                                                                                                • Opcode Fuzzy Hash: d97170a57ce61a26bbc891699353bdf8ad3ce870fd2453fba8837e40bf950f0c
                                                                                                                                                • Instruction Fuzzy Hash: A311E73220D7818FD305CB24E8519853FA5FB42320F1A85AAE444CB5B1DB35D946CB94
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A8C58 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 1bf09417bd1f202c60c2b4d29ca9e5b6f4fa79cb7840f2943d824fd427849f62
                                                                                                                                                • Instruction ID: 1af38fab45b429a5595051c42579e2acc414ab1e4f1ad476dbc3eec1079db51e
                                                                                                                                                • Opcode Fuzzy Hash: 1bf09417bd1f202c60c2b4d29ca9e5b6f4fa79cb7840f2943d824fd427849f62
                                                                                                                                                • Instruction Fuzzy Hash: 0821D074E112189FCB48CFA9E948ADDBBF5BB89310F10912AE809B3350EB741945CB94
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A8350 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 0261c861dc061f91c25dc75d91c24318d8a7cf17ba606b488f75691a3bd7ade4
                                                                                                                                                • Instruction ID: 64968ad243ab7e7b91be2a339b5f257f471065a9f767a6bb9f7284688398f4d2
                                                                                                                                                • Opcode Fuzzy Hash: 0261c861dc061f91c25dc75d91c24318d8a7cf17ba606b488f75691a3bd7ade4
                                                                                                                                                • Instruction Fuzzy Hash: 9C01B131B102199FDF10DAA9EC44AAFBBEEEB84250B144036E904D3240EF70A91587A0
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069ABC70 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 9d11c3757f5f24eaf6d4ed0467e4a3f623d5280d2edefbb881d394fec30a5a80
                                                                                                                                                • Instruction ID: 8fdb387e3ab8220b7e8850831b34061d8cf40d61a66a6a04a67ebed4ebbf4ccc
                                                                                                                                                • Opcode Fuzzy Hash: 9d11c3757f5f24eaf6d4ed0467e4a3f623d5280d2edefbb881d394fec30a5a80
                                                                                                                                                • Instruction Fuzzy Hash: 7901B5312503058FC699A739E65496DBBABEFC02A0B44983CD60787614DD36BC4B8B91
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 02E5DB09 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2156107859.0000000002E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E5D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_2e5d000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: aea0fb9b1aaa4d238ca08627d46bd9269998d00ebe22f5f30b041dd1a40fc215
                                                                                                                                                • Instruction ID: 0b313a87201552c54ae692e5666ef950c0c5298f58d962bdc6b41df1aaf1730f
                                                                                                                                                • Opcode Fuzzy Hash: aea0fb9b1aaa4d238ca08627d46bd9269998d00ebe22f5f30b041dd1a40fc215
                                                                                                                                                • Instruction Fuzzy Hash: F1012631444B10DAEB608B1ACC84B67FF9DEF45328F18C42AED084B286C3399840CAB5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AC4A8 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: b3209426f8f75764089ccfa0c3cb792c92191255f634442fc528a77285b7c394
                                                                                                                                                • Instruction ID: 656bb8530dd01118155c8f1dbfeff693150002c8027c608932dbad33e31d0e9b
                                                                                                                                                • Opcode Fuzzy Hash: b3209426f8f75764089ccfa0c3cb792c92191255f634442fc528a77285b7c394
                                                                                                                                                • Instruction Fuzzy Hash: 9A018C302403048FD329AF66E01866A77E7EFC4351B108A38D54B87654CF78A90ACB91
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A5508 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: a6b443862bd1bbbd4e8a75b8fdc0c37952adaf1d0907def5eb310356f0a9bc9e
                                                                                                                                                • Instruction ID: bb393811b420b2856a2cfaad8349e73218ed02288bb8f0e7af83036e9564c28d
                                                                                                                                                • Opcode Fuzzy Hash: a6b443862bd1bbbd4e8a75b8fdc0c37952adaf1d0907def5eb310356f0a9bc9e
                                                                                                                                                • Instruction Fuzzy Hash: 34018630B11701CFDBA99A39A50452777FBBF84215715983DE406C6D14DA75E884CBD0
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A8F50 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 057fe7845a3574d0ceebf7067d2f8403210a663594d639d95c659d568ba48618
                                                                                                                                                • Instruction ID: 36ca75ab826a653b51e26a4c51b2153e29804853d5f71f484b07b721e732596f
                                                                                                                                                • Opcode Fuzzy Hash: 057fe7845a3574d0ceebf7067d2f8403210a663594d639d95c659d568ba48618
                                                                                                                                                • Instruction Fuzzy Hash: 8901C4B4D0420AEFCB44DFA9D9496AEFBF5BB49301F2084AAD415A3340E7740A44DFD1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A8F43 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 46f6714a8c5a1234c2ec033cb174da7f330ad30c61d95203502395e4a3b867eb
                                                                                                                                                • Instruction ID: aceb588d3e97d34260510ad93d433ad9661a41777ce75f76cda65288a6a13023
                                                                                                                                                • Opcode Fuzzy Hash: 46f6714a8c5a1234c2ec033cb174da7f330ad30c61d95203502395e4a3b867eb
                                                                                                                                                • Instruction Fuzzy Hash: 9F01A2B4D0421AAFDB40DFA4D9497AEBFF5AB09301F2085AAE419A3381D7744A84DBD1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 02E5DB08 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2156107859.0000000002E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E5D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_2e5d000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c2aedca24c8ab951200c30dd90d6c035dd2a4d5637e07d976cb0e733ab26c259
                                                                                                                                                • Instruction ID: 396b2ddb0e3d1720a79651add4d2df2cbc404a0ef15af2eda668ede3f8eeb1b5
                                                                                                                                                • Opcode Fuzzy Hash: c2aedca24c8ab951200c30dd90d6c035dd2a4d5637e07d976cb0e733ab26c259
                                                                                                                                                • Instruction Fuzzy Hash: 89F0C271404754DAE7208A06DC88B62FFA8EF41738F18C45AED484B286C3799840CAB4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A6EA0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: a1b7390117c3191098b606d6c24614059b0eacb6a0dc703a91c629aa931cb7cc
                                                                                                                                                • Instruction ID: f5cbc6e2044d679a0687b254d512195aad522259abc7fd4e5a01eeeadc6af09c
                                                                                                                                                • Opcode Fuzzy Hash: a1b7390117c3191098b606d6c24614059b0eacb6a0dc703a91c629aa931cb7cc
                                                                                                                                                • Instruction Fuzzy Hash: 6AF012662041E83F8B514E9B5C10CFB7FEDDA8E1617084156FF99D2141C429C921ABB4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AACB8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 1e9dff02d46f3734eb601bc7b3fd8b01f031037b0861a9d0a52b4868cfb966cb
                                                                                                                                                • Instruction ID: 708f7888a83a46b86a1b5a62b1f5fb809c5948c993c7ca442bc879276c76e7ca
                                                                                                                                                • Opcode Fuzzy Hash: 1e9dff02d46f3734eb601bc7b3fd8b01f031037b0861a9d0a52b4868cfb966cb
                                                                                                                                                • Instruction Fuzzy Hash: ECF059B1B0A3A48FC7121B39682407D7FA9DEC626130840EBE283CB552CA045906D3E1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A67F3 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 2a0db2e583c77d23ceb92c07ab1da4b3194179189b1d68feae952d2e9da6cd50
                                                                                                                                                • Instruction ID: 1b8a9db1754b353bb48d796b9d02430a8a82930f0b73de7483dacad7d599972c
                                                                                                                                                • Opcode Fuzzy Hash: 2a0db2e583c77d23ceb92c07ab1da4b3194179189b1d68feae952d2e9da6cd50
                                                                                                                                                • Instruction Fuzzy Hash: DFF027313603006FD351DAACE881F95BB9AEF80310F008432F745CBA90CBB5E856C790
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A8FC0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c6f7d57c51ad3223af74498a70a636171d6580426f4926ce3f950126c5645dad
                                                                                                                                                • Instruction ID: 2925b02314faa69662cb5173504bf55676b2a84faecb6fdd91d936b0f1cac87b
                                                                                                                                                • Opcode Fuzzy Hash: c6f7d57c51ad3223af74498a70a636171d6580426f4926ce3f950126c5645dad
                                                                                                                                                • Instruction Fuzzy Hash: E6F0A9B4C0825AAFDB00CBA0C9195ADBFB0EB5A201F0041DAE446E7651E6384A01EB81
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A54F8 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d92a90ca28cb7e08f125635ecc462ff2558682716505d1ffa6576233b2a76a04
                                                                                                                                                • Instruction ID: d6319328a33e77e01898034980c447bd6c1392fb102606b2d9bd590d1dbca64d
                                                                                                                                                • Opcode Fuzzy Hash: d92a90ca28cb7e08f125635ecc462ff2558682716505d1ffa6576233b2a76a04
                                                                                                                                                • Instruction Fuzzy Hash: E5F02431A00701CFDBA4CE71D60076BBBF6AF80314F29986CE04283D25C675E584CB80
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A8341 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 2c4ebfccd187486c64b64787dd5ae502beceeed5a3de3fb339142707279333ae
                                                                                                                                                • Instruction ID: 219739187749aadae052380e31361707b12cda33c937872aeeddec5c546a0ce4
                                                                                                                                                • Opcode Fuzzy Hash: 2c4ebfccd187486c64b64787dd5ae502beceeed5a3de3fb339142707279333ae
                                                                                                                                                • Instruction Fuzzy Hash: D2F0A032F242155FCB109A69AC496AF7FF9AB95261B18002BE914C3140FF34890A87A1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AAC60 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 8c8d75b1296e82599db0c3b8c7bff0440f5231de78a7b269f5861bca917d77cc
                                                                                                                                                • Instruction ID: e51afa214a6594009bfe1299dffcda6a7c26c72d6379cfd377919765c71146d2
                                                                                                                                                • Opcode Fuzzy Hash: 8c8d75b1296e82599db0c3b8c7bff0440f5231de78a7b269f5861bca917d77cc
                                                                                                                                                • Instruction Fuzzy Hash: 15F0E2716193E44FC6131B38A8344AD3F2ADFC622070800EBD242CB193CD141909C7E6
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AADF8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 595e85b69d52a537603816ebfe7f79a1d38a63193cc99cb50d46897ab07cd5bb
                                                                                                                                                • Instruction ID: 218817ab1c68e2a7f7b7ed4aa8ac7d4e827cd25048981d706f13feb47557db25
                                                                                                                                                • Opcode Fuzzy Hash: 595e85b69d52a537603816ebfe7f79a1d38a63193cc99cb50d46897ab07cd5bb
                                                                                                                                                • Instruction Fuzzy Hash: C4E09231202314AFC3142A5AA448AAEBBDFEFCA3A1B00403DF20EC7241CA65580587A5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AC180 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 89693d86de7bb05e424633e75762a88e68649c50b2ed82d4f4aba3862b5d53d4
                                                                                                                                                • Instruction ID: aefb78f5f7fd32a40380ddbfdb35722ac6ddf6563036d40cb8cd4a68c8de1b64
                                                                                                                                                • Opcode Fuzzy Hash: 89693d86de7bb05e424633e75762a88e68649c50b2ed82d4f4aba3862b5d53d4
                                                                                                                                                • Instruction Fuzzy Hash: E5F09A35502B01CFD725DF27E448956BBF6FF88310700C63EE98A86A11DB78A90ACF84
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AB500 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: ccd1cd7ad6b7c40ad25c538e42aadd3c9b547a6ad7638bde901160d3a15d3ef3
                                                                                                                                                • Instruction ID: e704e08e25ead01d43b0596a75acabec7781092304147ee0249b4c1ee8420583
                                                                                                                                                • Opcode Fuzzy Hash: ccd1cd7ad6b7c40ad25c538e42aadd3c9b547a6ad7638bde901160d3a15d3ef3
                                                                                                                                                • Instruction Fuzzy Hash: 45F01535D0120CAFCB41DFB4E9488DDBFBAEB44300F1042A6E805E2240EA34AB569B91
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AC120 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 4b6d137bb7cfcdb97273051030662dc1c577c57f947108b624c60f31a6be7a59
                                                                                                                                                • Instruction ID: 07e132c45144441ca10be197c4eb32694b4832f8c9d92659a66fe7b89dedf755
                                                                                                                                                • Opcode Fuzzy Hash: 4b6d137bb7cfcdb97273051030662dc1c577c57f947108b624c60f31a6be7a59
                                                                                                                                                • Instruction Fuzzy Hash: F3E0E5302047508FC311AB2EE518B9E7BEADFC1324F04043DE24687602CBA9AC06CB91
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AE280 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: e3fd1c9005265055002caeb07abeca7414970ed07b86daca3ab70ec2d33d6882
                                                                                                                                                • Instruction ID: c42872be121028dd7124ada6f5540aea5bcc925d9f4ba780a79fd796a791ecb1
                                                                                                                                                • Opcode Fuzzy Hash: e3fd1c9005265055002caeb07abeca7414970ed07b86daca3ab70ec2d33d6882
                                                                                                                                                • Instruction Fuzzy Hash: 89E020714053464FC74E7A20BD136C53BAED74A350F015075D801D79B5DA7C0D4AC7DA
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AE1FF Relevance: .0, Instructions: 22COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 246acc35e874df46615e1aeaa0032258565f5d8e892d6b33315b7bff4965c738
                                                                                                                                                • Instruction ID: 2ba87676923ebe5d9c8cb9da4592ab68a7ceac7be74e34cab62e975abfd6b18a
                                                                                                                                                • Opcode Fuzzy Hash: 246acc35e874df46615e1aeaa0032258565f5d8e892d6b33315b7bff4965c738
                                                                                                                                                • Instruction Fuzzy Hash: B6E0D871949304EFCB01CF64ED508DD7BB6DF8221172082EAE806D7251D6340F158791
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AAC80 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: f2df1f67d8142d22a15579ed655c0703c4c930c82445d16693d4797f613d585e
                                                                                                                                                • Instruction ID: 998ab6c6b05ab8f479fadf86a8458b445a5f6467c9ddb60d6e9d9001ac1266df
                                                                                                                                                • Opcode Fuzzy Hash: f2df1f67d8142d22a15579ed655c0703c4c930c82445d16693d4797f613d585e
                                                                                                                                                • Instruction Fuzzy Hash: A4D05B717113289786052B6EB4184BE77AFDFC56713044079E70BCB241CE655D0597D5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AB510 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 5703f816c01dcbfb42031928cd086cb5a5aa1cb7d3c23a1211c9aa0d21469501
                                                                                                                                                • Instruction ID: e0b77e816298f3967dba99b7360c525f94fc32b38d56b45ba0e32697028c23d7
                                                                                                                                                • Opcode Fuzzy Hash: 5703f816c01dcbfb42031928cd086cb5a5aa1cb7d3c23a1211c9aa0d21469501
                                                                                                                                                • Instruction Fuzzy Hash: A2E09275D0120CEFCB40EFE5E9448DDBBB9EB48200F1082AAD909A3200EB346B56DF80
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AE210 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 3d6584226d6680fc271324108089b7fca0fdfb260dd8cc2862dd9dda7b3e4921
                                                                                                                                                • Instruction ID: 628cc5b5e669e1f544ae24cbf5612a3bba9199b89b1f0057ad34e532bd83b85f
                                                                                                                                                • Opcode Fuzzy Hash: 3d6584226d6680fc271324108089b7fca0fdfb260dd8cc2862dd9dda7b3e4921
                                                                                                                                                • Instruction Fuzzy Hash: 77D01271A0130CFFCB44DFA8E90199DB7B9DF44214B1081A99509E3201DA355E009B91
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069ACE9A Relevance: .0, Instructions: 13COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: f8609cf2503b9143453b690c744e0779b5b9d1296b9c0bd437b38e14ddf6c49b
                                                                                                                                                • Instruction ID: 71c124158c62420edad33ff7d454b2605dc591667be98f141c5bd2e146fc5b8b
                                                                                                                                                • Opcode Fuzzy Hash: f8609cf2503b9143453b690c744e0779b5b9d1296b9c0bd437b38e14ddf6c49b
                                                                                                                                                • Instruction Fuzzy Hash: B3D0A7B0100317CBC649EF24F9644CD375ADB442103018168ED45F7344CABCDC0287CD
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069ACC4A Relevance: .0, Instructions: 13COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: f272283a0bc16359c84c28fd6dc2dd8067aab8d6487389d3fcdc1fa5c8345d8e
                                                                                                                                                • Instruction ID: 526ff3aea5584ae1e2cd039920b7ef7918869449a8ed98bde66d36e3ca2daccf
                                                                                                                                                • Opcode Fuzzy Hash: f272283a0bc16359c84c28fd6dc2dd8067aab8d6487389d3fcdc1fa5c8345d8e
                                                                                                                                                • Instruction Fuzzy Hash: 1FD0A7712102124BC749DF25F8404CC3752DF44210301C168D589F7304CABC9C068BCD
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AF8F1 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: fc950503c2ab62ebe6905998a74ee41eb1f2e5099f55438b4a12177e622fc1ce
                                                                                                                                                • Instruction ID: 5dff04675cce61c5c6b58185d9f450f18e6b1f0675d7c19bcb5bb13e22e7f04d
                                                                                                                                                • Opcode Fuzzy Hash: fc950503c2ab62ebe6905998a74ee41eb1f2e5099f55438b4a12177e622fc1ce
                                                                                                                                                • Instruction Fuzzy Hash: 72C04C32715230070555215C741406D92D79BC95B3355517BEA0BD3344CD64AC670795
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069ADFD1 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: fe156ac669f57b9665cd7d0e84dd092b7fb0c01e7fd9857bd0ca9546ce7bc744
                                                                                                                                                • Instruction ID: 05369ea085aa3dd277fbae3960d4c6d08bafec6b61e452e20fa0ab9ce0171ef5
                                                                                                                                                • Opcode Fuzzy Hash: fe156ac669f57b9665cd7d0e84dd092b7fb0c01e7fd9857bd0ca9546ce7bc744
                                                                                                                                                • Instruction Fuzzy Hash: 9FC09B3554F3D05EDB064774DC1D9D93F175F9272071541D6F341CD062D5510406C7B1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AE909 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 463368db8003626b2019bebf3d7dc459a8cf2d1563f669d8968a010a5d22bef3
                                                                                                                                                • Instruction ID: d8460508c4e9c0a6f334271684dd110e07900282bde14d3b5fe7f064bec538d5
                                                                                                                                                • Opcode Fuzzy Hash: 463368db8003626b2019bebf3d7dc459a8cf2d1563f669d8968a010a5d22bef3
                                                                                                                                                • Instruction Fuzzy Hash: 1FC00236260108EFCB41EF94D444C543B75BF597147509099FA454F631C732E921EB40
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Non-executed Functions

                                                                                                                                                Function 07F40040 Relevance: 5.3, Strings: 4, Instructions: 271COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2171443078.0000000007F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7f40000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: $jq$$jq$$jq$$jq
                                                                                                                                                • API String ID: 0-2428501249
                                                                                                                                                • Opcode ID: 1d63cfc6d0f84e90c1d6d9d6c27dc8fe50dd318fe39be08952a27c63b420a3d8
                                                                                                                                                • Instruction ID: 0e581955407da47778cf8ccc2cdff443a0c7308671082d68c385796608fe2fcc
                                                                                                                                                • Opcode Fuzzy Hash: 1d63cfc6d0f84e90c1d6d9d6c27dc8fe50dd318fe39be08952a27c63b420a3d8
                                                                                                                                                • Instruction Fuzzy Hash: 8FC1C7B0E01218CFDB54DFA5C99079EBBB2FF89300F6481A9D509AB295DB345E85CF50
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A6FE8 Relevance: .8, Instructions: 781COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d42e7cb1c34f0a16a5d5c3c4e251520f56c40336b40a4a331203334e5f1c30a1
                                                                                                                                                • Instruction ID: f47bbcea2ae6198ebb39a39c6664c6727a5863c3aeaf01b3ac19e9227132d958
                                                                                                                                                • Opcode Fuzzy Hash: d42e7cb1c34f0a16a5d5c3c4e251520f56c40336b40a4a331203334e5f1c30a1
                                                                                                                                                • Instruction Fuzzy Hash: 24622BB06003009FD749DF19D55871ABAEAEF84308F64C89C95098F296DFBAD90BCBD5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069A6FF8 Relevance: .8, Instructions: 780COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 34ac3236c1b3417e2c98031bbb534439e165f48285134e61bda8fa1e64962d96
                                                                                                                                                • Instruction ID: c63d66263dcb3d8c3b7bc62ebed804b6a52274fa0715401cedcc412f1ef153d7
                                                                                                                                                • Opcode Fuzzy Hash: 34ac3236c1b3417e2c98031bbb534439e165f48285134e61bda8fa1e64962d96
                                                                                                                                                • Instruction Fuzzy Hash: A7622BB06003009FD749DF19D55871ABAEAEF84308F64C89C95098F296DFBAD90BCBD5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 07F4666F Relevance: .3, Instructions: 270COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2171443078.0000000007F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7f40000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 24c7af0895739dc5efdef0e23fc2f203de02f01cb803468b22723c9229937f51
                                                                                                                                                • Instruction ID: 9923716e295d19104b8900638ea69240aab3a6241073ae735c30234b876d47c4
                                                                                                                                                • Opcode Fuzzy Hash: 24c7af0895739dc5efdef0e23fc2f203de02f01cb803468b22723c9229937f51
                                                                                                                                                • Instruction Fuzzy Hash: 6CD10571C2075ACACB11EF64D950A99B775FF95300F10DBAAE50A37221EB746AC8CF81
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 07F46680 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2171443078.0000000007F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7f40000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 6804904a303996f9b5a6f4b4dedef0143c7531cabbbfd0a8618221ae525d84c3
                                                                                                                                                • Instruction ID: f85ab6c5545e75a2abddd3389273b6860deea2291212a97f544e7fe52396f7fa
                                                                                                                                                • Opcode Fuzzy Hash: 6804904a303996f9b5a6f4b4dedef0143c7531cabbbfd0a8618221ae525d84c3
                                                                                                                                                • Instruction Fuzzy Hash: 03D10571C2075ACACB11EF64D950A99B375FF95300F10DBAAE50A37225EB746AC8CF81
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 02FFDC74 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2156315086.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_2ff0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 4276255792c438b694bcd87b6a5959eb6a26cda82fc66cfd8edba09e09d10648
                                                                                                                                                • Instruction ID: 75ad9756cb2efd905664993bf612e978c3c72beee0c88cc2f78919882ca3e771
                                                                                                                                                • Opcode Fuzzy Hash: 4276255792c438b694bcd87b6a5959eb6a26cda82fc66cfd8edba09e09d10648
                                                                                                                                                • Instruction Fuzzy Hash: DAA17E32E002098FCF05DFB4C98459EBBB2FF85340B15456AEA06BB2A5DB75E945CF90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 07F48F11 Relevance: .2, Instructions: 191COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2171443078.0000000007F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7f40000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: cdd4cc38ff69b9fffba85bb7a11d18b6be0dbea567156f06fb83c97e496b2337
                                                                                                                                                • Instruction ID: 14b832ebc73b363e2002d5e0b55061e5d1e43c8bc0fdef4ec230b24d9b3a4ece
                                                                                                                                                • Opcode Fuzzy Hash: cdd4cc38ff69b9fffba85bb7a11d18b6be0dbea567156f06fb83c97e496b2337
                                                                                                                                                • Instruction Fuzzy Hash: 1091D4B0E012288FDB64DF65C950B9EBBB2BF89300F5081EAC50DA7290DB755E85CF51
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 07F40007 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2171443078.0000000007F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7f40000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: caf831ebdc90d76886bcf0ef1ada5ed84b9a9c900d5d9e0f8a3491c2d4e201a0
                                                                                                                                                • Instruction ID: b41bf38ec910d91f942525c467196742c0df4c8d8f50a72b6e5883a4853cc508
                                                                                                                                                • Opcode Fuzzy Hash: caf831ebdc90d76886bcf0ef1ada5ed84b9a9c900d5d9e0f8a3491c2d4e201a0
                                                                                                                                                • Instruction Fuzzy Hash: 64416DB5D053488FDB15CFB6D8506DEBFF2AF8A310F18816AC408AB265EB345946CF91
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 07F48E6C Relevance: .0, Instructions: 25COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2171443078.0000000007F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7f40000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c2a9ffd4dd92216b5948fe4c7db59ac5c155dfbbae7e8db14b4d11e5ab11f71f
                                                                                                                                                • Instruction ID: 029bb26574b6a4b5b4082e199670a9185f6c8ce87843512bee91d661813d2556
                                                                                                                                                • Opcode Fuzzy Hash: c2a9ffd4dd92216b5948fe4c7db59ac5c155dfbbae7e8db14b4d11e5ab11f71f
                                                                                                                                                • Instruction Fuzzy Hash: 2EF0EDB1D8421ACFDB208F94D8487FEBE70BB46395F141855C006B3140CBB886C8CF89
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AE2C7 Relevance: 46.6, Strings: 37, Instructions: 392COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj
                                                                                                                                                • API String ID: 0-1840911277
                                                                                                                                                • Opcode ID: 6cbc913c22c7fb32a34282fd487a820c29561ec5c0652f55eb83d984f06f0964
                                                                                                                                                • Instruction ID: 5d7f2a39afe7cab62bdfd0a1d7faddea05f61616c8c8497daaf55a5e1d0493fd
                                                                                                                                                • Opcode Fuzzy Hash: 6cbc913c22c7fb32a34282fd487a820c29561ec5c0652f55eb83d984f06f0964
                                                                                                                                                • Instruction Fuzzy Hash: 1FD1C130340718BBC20A6BA0EE51ABDB657FF86300B548938D2054F7A5DF796D1E8B97
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AE2D8 Relevance: 46.6, Strings: 37, Instructions: 383COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj
                                                                                                                                                • API String ID: 0-1840911277
                                                                                                                                                • Opcode ID: 78527d8d6eef076763d2dbe0e16f85e401664118232562786c1b2a60c7ac5e34
                                                                                                                                                • Instruction ID: 20e7d76d68979f65fd733461e0d061c0f624aae7a42babad7fd81ba68f67b7b1
                                                                                                                                                • Opcode Fuzzy Hash: 78527d8d6eef076763d2dbe0e16f85e401664118232562786c1b2a60c7ac5e34
                                                                                                                                                • Instruction Fuzzy Hash: 9DD1C230350718BBC20A6BA0EE51ABDB257FF86300B548938D3054F795DF796D1E8B96
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069ACC90 Relevance: 16.4, Strings: 13, Instructions: 143COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj
                                                                                                                                                • API String ID: 0-1877730170
                                                                                                                                                • Opcode ID: 56e7d4ea2b451d3ff6098dc947fdf590ab2bffdacf22d0bf8493ba1230a70216
                                                                                                                                                • Instruction ID: d96857ec0c3a7ab3348922967cc0c4f20e4bafb9456745b2463623ceb4299e8a
                                                                                                                                                • Opcode Fuzzy Hash: 56e7d4ea2b451d3ff6098dc947fdf590ab2bffdacf22d0bf8493ba1230a70216
                                                                                                                                                • Instruction Fuzzy Hash: 4141A6303407147BD2066BA4EA45A7EB657FF86300B508A38E3094F795CF7D6D1D4B9A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069ACEE0 Relevance: 10.1, Strings: 8, Instructions: 93COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj
                                                                                                                                                • API String ID: 0-3572161617
                                                                                                                                                • Opcode ID: 414920573f5247bfb9c9d583d77dc5314a103abd17816c48d1ef5d5f415bda8b
                                                                                                                                                • Instruction ID: bc2912916de7c0c9c165c41a08d230bcef665201eb155ae6d6237dd92253cb75
                                                                                                                                                • Opcode Fuzzy Hash: 414920573f5247bfb9c9d583d77dc5314a103abd17816c48d1ef5d5f415bda8b
                                                                                                                                                • Instruction Fuzzy Hash: 0921B1307402157BD6066BA4E940A7DB65BFF86300F508A38E3094F795CF7D6D0D8B9A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AC978 Relevance: 8.8, Strings: 7, Instructions: 83COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: Dzj$Dzj$Dzj$Dzj$Dzj$Dzj$Dzj
                                                                                                                                                • API String ID: 0-410062309
                                                                                                                                                • Opcode ID: 2cbea9bb2b4c488e43afcbe71eb54b32cc53ee7fbac143398daab8ef50db00b4
                                                                                                                                                • Instruction ID: d830029f91813f7b1ee1eea37ae807645290d199ab9330108a74b5df45d4aeb1
                                                                                                                                                • Opcode Fuzzy Hash: 2cbea9bb2b4c488e43afcbe71eb54b32cc53ee7fbac143398daab8ef50db00b4
                                                                                                                                                • Instruction Fuzzy Hash: 3F21A2303406167BCB062BA5E95486DB757FF86300B048278E70A8F6A4CE785D4E8B82
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 069AD548 Relevance: 7.6, Strings: 6, Instructions: 73COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.2166604485.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_69a0000_o8uKhd6peZ.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: Dzj$Dzj$Dzj$Dzj$Dzj$Dzj
                                                                                                                                                • API String ID: 0-1686505541
                                                                                                                                                • Opcode ID: 70e0e04d0980c87ec41d09f9e954a4d3c509b6ed5f0cde2281aa0a41782d67b5
                                                                                                                                                • Instruction ID: 154e59d7527c7ec16429804a14aa569b239bbf106c72fde2e837743c1261e9b6
                                                                                                                                                • Opcode Fuzzy Hash: 70e0e04d0980c87ec41d09f9e954a4d3c509b6ed5f0cde2281aa0a41782d67b5
                                                                                                                                                • Instruction Fuzzy Hash: 2C11D5307403147BC2066BA5E940A6EB65BFF86700F508A38E2054F795CF7E6D1D8B96
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%