Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gm5v3JlTMk.exe

Overview

General Information

Sample name:gm5v3JlTMk.exe
renamed because original name is a hash value
Original sample name:79fc20c78e45d10f5f6d3f12c736b8d5.exe
Analysis ID:1431061
MD5:79fc20c78e45d10f5f6d3f12c736b8d5
SHA1:4a6b50e0cc1aa3c98bcb786311421ebf6815dcd0
SHA256:5e0a9b8f7175b983c012fa530bb29693cd8aadf2b2feb0f56d1c089fac20edb4
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Installs new ROOT certificates
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • gm5v3JlTMk.exe (PID: 6936 cmdline: "C:\Users\user\Desktop\gm5v3JlTMk.exe" MD5: 79FC20C78E45D10F5F6D3F12C736B8D5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["103.113.70.99:2630"], "Bot Id": "spoo", "Authorization Header": "a442868c38da8722ebccd4819def00b2"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
gm5v3JlTMk.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1641741658.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000000.00000002.1792581225.0000000003261000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Process Memory Space: gm5v3JlTMk.exe PID: 6936JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 1 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.gm5v3JlTMk.exe.bc0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:04/24/24-14:27:04.417356
                    SID:2046056
                    Source Port:2630
                    Destination Port:49730
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-14:26:58.880918
                    SID:2046045
                    Source Port:49730
                    Destination Port:2630
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-14:27:11.399846
                    SID:2043231
                    Source Port:49730
                    Destination Port:2630
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-14:26:59.108894
                    SID:2043234
                    Source Port:2630
                    Destination Port:49730
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: gm5v3JlTMk.exeMalware Configuration Extractor: RedLine {"C2 url": ["103.113.70.99:2630"], "Bot Id": "spoo", "Authorization Header": "a442868c38da8722ebccd4819def00b2"}
                    Multi AV Scanner detection for submitted file
                    Source: gm5v3JlTMk.exeVirustotal: Detection: 63%Perma Link
                    Source: gm5v3JlTMk.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: gm5v3JlTMk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49730 -> 103.113.70.99:2630
                    Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49730 -> 103.113.70.99:2630
                    Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 103.113.70.99:2630 -> 192.168.2.4:49730
                    Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 103.113.70.99:2630 -> 192.168.2.4:49730
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 103.113.70.99:2630
                    Source: global trafficTCP traffic: 192.168.2.4:49730 -> 103.113.70.99:2630
                    Source: Joe Sandbox ViewIP Address: 103.113.70.99 103.113.70.99
                    Source: Joe Sandbox ViewASN Name: NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmp, gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000033DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.000000000324C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000033DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000033DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmp, gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003459000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmp, gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmp, gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003459000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmp, gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000033DB000.00000004.00000800.00020000.00000000.sdmp, gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmp, gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003459000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.000000000324C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000033DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                    Source: gm5v3JlTMk.exeString found in binary or memory: https://api.ip.sb/ip
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp2B6A.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp2B59.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeCode function: 0_2_0177DC740_2_0177DC74
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeCode function: 0_2_068067D80_2_068067D8
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeCode function: 0_2_0680A3E80_2_0680A3E8
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeCode function: 0_2_06803F500_2_06803F50
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeCode function: 0_2_0680A3D80_2_0680A3D8
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeCode function: 0_2_06806FE80_2_06806FE8
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeCode function: 0_2_06806FF80_2_06806FF8
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000033DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirefox.exe0 vs gm5v3JlTMk.exe
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000033DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $qq,\\StringFileInfo\\000004B0\\OriginalFilename vs gm5v3JlTMk.exe
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000033DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs gm5v3JlTMk.exe
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000033DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $qq,\\StringFileInfo\\040904B0\\OriginalFilename vs gm5v3JlTMk.exe
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000033DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs gm5v3JlTMk.exe
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000033DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs gm5v3JlTMk.exe
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000033DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $qq,\\StringFileInfo\\080904B0\\OriginalFilename vs gm5v3JlTMk.exe
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000033DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs gm5v3JlTMk.exe
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1788689384.000000000132E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs gm5v3JlTMk.exe
                    Source: gm5v3JlTMk.exe, 00000000.00000000.1641772098.0000000000C06000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUpspearing.exe8 vs gm5v3JlTMk.exe
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs gm5v3JlTMk.exe
                    Source: gm5v3JlTMk.exeBinary or memory string: OriginalFilenameUpspearing.exe8 vs gm5v3JlTMk.exe
                    Source: gm5v3JlTMk.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/5@0/1
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp2B59.tmpJump to behavior
                    Source: gm5v3JlTMk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: gm5v3JlTMk.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: gm5v3JlTMk.exeVirustotal: Detection: 63%
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: esdsip.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                    Source: Google Chrome.lnk.0.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: gm5v3JlTMk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: gm5v3JlTMk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: gm5v3JlTMk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: gm5v3JlTMk.exeStatic PE information: 0xF0DBE6BE [Sun Jan 19 04:14:54 2098 UTC]
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeCode function: 0_2_0680C711 push es; ret 0_2_0680C720
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeCode function: 0_2_0680D413 push es; ret 0_2_0680D420
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeCode function: 0_2_0680ECF2 push eax; ret 0_2_0680ED01
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeCode function: 0_2_06803B4F push dword ptr [esp+ecx*2-75h]; ret 0_2_06803B53
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeCode function: 0_2_068049AB push FFFFFF8Bh; retf 0_2_068049AD

                    Persistence and Installation Behavior

                    barindex
                    Installs new ROOT certificates
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeMemory allocated: 1730000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeMemory allocated: 30F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeMemory allocated: 2F50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeWindow / User API: threadDelayed 1183Jump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeWindow / User API: threadDelayed 8293Jump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exe TID: 5076Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exe TID: 6980Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1806169995.0000000006BA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeQueries volume information: C:\Users\user\Desktop\gm5v3JlTMk.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1806339355.0000000006C1E000.00000004.00000020.00020000.00000000.sdmp, gm5v3JlTMk.exe, 00000000.00000002.1813081446.0000000007BB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: gm5v3JlTMk.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.gm5v3JlTMk.exe.bc0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1641741658.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: gm5v3JlTMk.exe PID: 6936, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $qq1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.000000000324C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLRqq
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLRqq
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $qq%appdata%`,qqdC:\Users\user\AppData\Roaming`,qqdC:\Users\user\AppData\Roaming\Binance
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $qq&%localappdata%\Coinomi\Coinomi\walletsLRqq
                    Source: gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $qq5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Users\user\Desktop\gm5v3JlTMk.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: Yara matchFile source: 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1792581225.0000000003261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: gm5v3JlTMk.exe PID: 6936, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: gm5v3JlTMk.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.gm5v3JlTMk.exe.bc0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1641741658.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: gm5v3JlTMk.exe PID: 6936, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		231
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol3
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                    Virtualization/Sandbox Evasion                    		Security Account Manager241
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Obfuscated Files or Information                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Install Root Certificate                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Timestomp                    		Cached Domain Credentials113
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    gm5v3JlTMk.exe63%VirustotalBrowse

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ip.sb/ip0%URL Reputationsafe
                    http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id12Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id23ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id2Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                    http://tempuri.org/2%VirustotalBrowse
                    http://tempuri.org/Entity/Id14ResponseD2%VirustotalBrowse
                    http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id19Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id21Response4%VirustotalBrowse
                    http://tempuri.org/Entity/Id71%VirustotalBrowse
                    http://tempuri.org/Entity/Id41%VirustotalBrowse
                    http://tempuri.org/Entity/Id51%VirustotalBrowse
                    http://tempuri.org/Entity/Id6ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id81%VirustotalBrowse
                    http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id61%VirustotalBrowse
                    http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id91%VirustotalBrowse
                    http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id13ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id6Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id15Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id5ResponseD2%VirustotalBrowse
                    http://tempuri.org/Entity/Id1ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id201%VirustotalBrowse
                    http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id231%VirustotalBrowse
                    http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id9Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id24Response1%VirustotalBrowse
                    http://tempuri.org/Entity/Id241%VirustotalBrowse
                    http://tempuri.org/Entity/Id1Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id211%VirustotalBrowse
                    http://tempuri.org/Entity/Id101%VirustotalBrowse
                    http://tempuri.org/Entity/Id221%VirustotalBrowse
                    http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id111%VirustotalBrowse
                    http://tempuri.org/Entity/Id21ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id141%VirustotalBrowse
                    http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id131%VirustotalBrowse
                    http://tempuri.org/Entity/Id16Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id161%VirustotalBrowse
                    http://tempuri.org/Entity/Id151%VirustotalBrowse
                    http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id181%VirustotalBrowse
                    http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id171%VirustotalBrowse
                    http://tempuri.org/Entity/Id121%VirustotalBrowse
                    http://tempuri.org/Entity/Id8ResponseD0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Textgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sctgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id14ResponseDgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id23ResponseDgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003459000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinarygm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id12Responsegm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id2Responsegm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id21Responsegm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmp, gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 4%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrapgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id9gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 1%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id8gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id6ResponseDgm5v3JlTMk.exe, 00000000.00000002.1792581225.000000000324C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id5gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Preparegm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id4gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id7gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id6gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id19Responsegm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 2%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensegm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuegm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencegm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id13ResponseDgm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000033DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • 1%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/faultgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2004/10/wsatgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeygm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id15Responsegm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • 2%, Virustotal, Browse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://tempuri.org/Entity/Id5ResponseDgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • 2%, Virustotal, Browse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namegm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registergm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id6Responsegm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • 2%, Virustotal, Browse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeygm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://api.ip.sb/ipgm5v3JlTMk.exefalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2004/04/scgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Entity/Id1ResponseDgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • 1%, Virustotal, Browse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancelgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id9Responsegm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • 2%, Virustotal, Browse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id20gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • 1%, Virustotal, Browse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id21gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • 1%, Virustotal, Browse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id22gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • 1%, Virustotal, Browse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id23gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmp, gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • 1%, Virustotal, Browse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id24gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 1%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issuegm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id24Responsegm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 1%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://tempuri.org/Entity/Id1Responsegm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 2%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedgm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlygm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Replaygm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegogm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binarygm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeygm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id21ResponseDgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003261000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • 1%, Virustotal, Browse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressinggm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuegm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Completiongm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/04/trustgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/Entity/Id10gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmp, gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 1%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id11gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 1%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id10ResponseDgm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000033DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 1%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id12gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 1%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id16Responsegm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 2%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsegm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancelgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://tempuri.org/Entity/Id13gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • 1%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id14gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • 1%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id15gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • 1%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id16gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • 1%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/Noncegm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id17gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id18gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id5Responsegm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id19gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsgm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id15ResponseDgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003261000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id10Responsegm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/Renewgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id11ResponseDgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id8Responsegm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeygm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2006/02/addressingidentitygm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id17ResponseDgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/soap/envelope/gm5v3JlTMk.exe, 00000000.00000002.1792581225.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id8ResponseDgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeygm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1gm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trustgm5v3JlTMk.exe, 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            103.113.70.99
                                                                                                                            		unknownIndia
                                                                                                                            		133973NETCONNECTWIFI-ASNetConnectWifiPvtLtdINtrue

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                            Analysis ID:1431061
                                                                                                                            Start date and time:2024-04-24 14:26:08 +02:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 3m 52s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:4
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:0
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:gm5v3JlTMk.exe
                                                                                                                            renamed because original name is a hash value
                                                                                                                            Original Sample Name:79fc20c78e45d10f5f6d3f12c736b8d5.exe
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@1/5@0/1
                                                                                                                            EGA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            • Number of executed functions: 86
                                                                                                                            • Number of non-executed functions: 4
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                            • Stop behavior analysis, all processes terminated

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            14:27:04API Interceptor48x Sleep call for process: gm5v3JlTMk.exe modified

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            103.113.70.99o8uKhd6peZ.exeGet hashmaliciousRedLineBrowse
                                                                                                                              vguZEL1YWf.exeGet hashmaliciousRedLineBrowse
                                                                                                                                djiwhBMknd.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  ExAXLXWP9K.exeGet hashmaliciousRedLineBrowse
                                                                                                                                    44QHzbqD3m.exeGet hashmaliciousRedLineBrowse
                                                                                                                                      3q1lESMAMh.exeGet hashmaliciousRedLineBrowse
                                                                                                                                        fkmfYBX2c6.exeGet hashmaliciousRedLineBrowse
                                                                                                                                          IcDaW5Yzvb.exeGet hashmaliciousRedLineBrowse
                                                                                                                                            W8Q1QyZc1j.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              W8Q1QyZc1j.exeGet hashmaliciousRedLineBrowse

                                                                                                                                                Domains

                                                                                                                                                No context

                                                                                                                                                ASNs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                NETCONNECTWIFI-ASNetConnectWifiPvtLtdINo8uKhd6peZ.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                vguZEL1YWf.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                djiwhBMknd.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                ExAXLXWP9K.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                44QHzbqD3m.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                3q1lESMAMh.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                fkmfYBX2c6.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                IcDaW5Yzvb.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                W8Q1QyZc1j.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                W8Q1QyZc1j.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                No context

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\gm5v3JlTMk.exe
                                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:30 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2104
                                                                                                                                                Entropy (8bit):3.4534191264567817
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:8SZdATkoGRYrnvPdAKRkdAGdAKRFdAKR/U:8SMt
                                                                                                                                                MD5:DA74D3CDB2BA438B2A4FD95D0DC10B64
                                                                                                                                                SHA1:DB43D3C6EB8534D2293B34543B9C16B4D95481DC
                                                                                                                                                SHA-256:5BD94DA2BD0C0C51246C9261ACA41A6318DC291687D0C007C6A0AF334458803F
                                                                                                                                                SHA-512:FF076DEC7AB06BC3A5F348E5C44E63509C674F9172E888668D13F32D7E80E384ED92D7EAC55E8A9AD0F7870621A753D589B7BF5648912D5D1F49E5ADAD66B8FB
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview:L..................F.@.. ......,....V........q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IDW5`....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWP`....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWP`....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWP`..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDWI`..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gm5v3JlTMk.exe.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\gm5v3JlTMk.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3274
                                                                                                                                                Entropy (8bit):5.3318368586986695
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlq0
                                                                                                                                                MD5:0C1110E9B7BBBCB651A0B7568D796468
                                                                                                                                                SHA1:7AEE00407EE27655FFF0ADFBC96CF7FAD9610AAA
                                                                                                                                                SHA-256:112E21404A85963FB5DF8388F97429D6A46E9D4663435CC86267C563C0951FA2
                                                                                                                                                SHA-512:46E37552764B4E61006AB99F8C542D55B2418668B097D3C6647D306604C3D7CA3FAF34F8B4121D94B0E7168295B2ABEB7C21C3B96F37208943537B887BC81590
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                C:\Users\user\AppData\Local\Temp\Tmp2B59.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\gm5v3JlTMk.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2662
                                                                                                                                                Entropy (8bit):7.8230547059446645
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                                MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                                SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                                SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                                SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\Tmp2B6A.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\gm5v3JlTMk.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2662
                                                                                                                                                Entropy (8bit):7.8230547059446645
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                                MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                                SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                                SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                                SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\gm5v3JlTMk.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2251
                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3::
                                                                                                                                                MD5:0158FE9CEAD91D1B027B795984737614
                                                                                                                                                SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                                                                                                                                                SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                                                                                                                                                SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                Entropy (8bit):5.062568447042871
                                                                                                                                                TrID:
                                                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                File name:gm5v3JlTMk.exe
                                                                                                                                                File size:312'891 bytes
                                                                                                                                                MD5:79fc20c78e45d10f5f6d3f12c736b8d5
                                                                                                                                                SHA1:4a6b50e0cc1aa3c98bcb786311421ebf6815dcd0
                                                                                                                                                SHA256:5e0a9b8f7175b983c012fa530bb29693cd8aadf2b2feb0f56d1c089fac20edb4
                                                                                                                                                SHA512:8c86d2c46d5eac37eaf7ca2612a395a52811e12a4d1653e410ccfc609cf64ff25b0ec10c469f96467745ec553a2abf1a5d4259ac347d2e92083453ea64143b4d
                                                                                                                                                SSDEEP:6144:/qY6irwP7YfmrYiJv7TAPAzdcZqf7DI/L:/nwPkiJvGAzdcUzs/
                                                                                                                                                TLSH:4E645C1823EC8911E27F4B7994A1E274D375ED56A452E30F4ED06CAB3E32741FA11AB2
                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. ....................... ............@................................

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:4d8ea38d85a38e6d

                                                                                                                                                Static PE Info

                                                                                                                                                General

                                                                                                                                                Entrypoint:0x42b9ae
                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                Digitally signed:false
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                Subsystem:windows gui
                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                Time Stamp:0xF0DBE6BE [Sun Jan 19 04:14:54 2098 UTC]
                                                                                                                                                TLS Callbacks:
                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                OS Version Major:4
                                                                                                                                                OS Version Minor:0
                                                                                                                                                File Version Major:4
                                                                                                                                                File Version Minor:0
                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                Entrypoint Preview

                                                                                                                                                Instruction
                                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                                popad
                                                                                                                                                add byte ptr [ebp+00h], dh
                                                                                                                                                je 00007F72C515B7C2h
                                                                                                                                                outsd
                                                                                                                                                add byte ptr [esi+00h], ah
                                                                                                                                                imul eax, dword ptr [eax], 006C006Ch
                                                                                                                                                xor eax, 59007400h
                                                                                                                                                add byte ptr [edi+00h], dl
                                                                                                                                                push edx
                                                                                                                                                add byte ptr [ecx+00h], dh
                                                                                                                                                popad
                                                                                                                                                add byte ptr [edi+00h], dl
                                                                                                                                                push esi
                                                                                                                                                add byte ptr [edi+00h], ch
                                                                                                                                                popad
                                                                                                                                                add byte ptr [ebp+00h], ch
                                                                                                                                                push 61006800h
                                                                                                                                                add byte ptr [ebp+00h], ch
                                                                                                                                                dec edx
                                                                                                                                                add byte ptr [eax], bh
                                                                                                                                                add byte ptr [edi+00h], dl
                                                                                                                                                push edi
                                                                                                                                                add byte ptr [ecx], bh
                                                                                                                                                add byte ptr [ecx+00h], bh
                                                                                                                                                bound eax, dword ptr [eax]
                                                                                                                                                xor al, byte ptr [eax]
                                                                                                                                                insb
                                                                                                                                                add byte ptr [eax+00h], bl
                                                                                                                                                pop ecx
                                                                                                                                                add byte ptr [edi+00h], dl
                                                                                                                                                js 00007F72C515B7C2h
                                                                                                                                                jnc 00007F72C515B7C2h
                                                                                                                                                pop edx
                                                                                                                                                add byte ptr [eax+00h], bl
                                                                                                                                                push ecx
                                                                                                                                                add byte ptr [ebx+00h], cl
                                                                                                                                                popad
                                                                                                                                                add byte ptr [edi+00h], dl
                                                                                                                                                dec edx
                                                                                                                                                add byte ptr [ebp+00h], dh
                                                                                                                                                pop edx
                                                                                                                                                add byte ptr [edi+00h], dl
                                                                                                                                                jo 00007F72C515B7C2h
                                                                                                                                                imul eax, dword ptr [eax], 5Ah
                                                                                                                                                add byte ptr [ebp+00h], ch
                                                                                                                                                jo 00007F72C515B7C2h
                                                                                                                                                je 00007F72C515B7C2h
                                                                                                                                                bound eax, dword ptr [eax]
                                                                                                                                                push edi
                                                                                                                                                add byte ptr [eax+eax+77h], dh
                                                                                                                                                add byte ptr [ecx+00h], bl
                                                                                                                                                xor al, byte ptr [eax]
                                                                                                                                                xor eax, 63007300h
                                                                                                                                                add byte ptr [edi+00h], al
                                                                                                                                                push esi
                                                                                                                                                add byte ptr [ecx+00h], ch
                                                                                                                                                popad
                                                                                                                                                add byte ptr [edx], dh
                                                                                                                                                add byte ptr [eax+00h], bh
                                                                                                                                                je 00007F72C515B7C2h
                                                                                                                                                bound eax, dword ptr [eax]
                                                                                                                                                insd
                                                                                                                                                add byte ptr [eax+eax+76h], dh
                                                                                                                                                add byte ptr [edx+00h], bl
                                                                                                                                                push edi
                                                                                                                                                add byte ptr [ecx], bh
                                                                                                                                                add byte ptr [eax+00h], dh
                                                                                                                                                popad
                                                                                                                                                add byte ptr [edi+00h], al
                                                                                                                                                cmp dword ptr [eax], eax
                                                                                                                                                insd
                                                                                                                                                add byte ptr [edx+00h], bl
                                                                                                                                                push edi
                                                                                                                                                add byte ptr [esi+00h], cl
                                                                                                                                                cmp byte ptr [eax], al
                                                                                                                                                push esi
                                                                                                                                                add byte ptr [eax+00h], cl
                                                                                                                                                dec edx
                                                                                                                                                add byte ptr [esi+00h], dh
                                                                                                                                                bound eax, dword ptr [eax]
                                                                                                                                                insd
                                                                                                                                                add byte ptr [eax+00h], bh
                                                                                                                                                jo 00007F72C515B7C2h
                                                                                                                                                bound eax, dword ptr [eax]
                                                                                                                                                insd
                                                                                                                                                add byte ptr [ebx+00h], dh

                                                                                                                                                Data Directories

                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2b95c0x4f.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x320000x1c9d4.rsrc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x500000xc.reloc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x2b9400x1c.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                Sections

                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                .text0x20000x2e9940x2ec0064c48738b5efa1379746874c338807d5False0.4696168950534759data6.205450376900145IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                .rsrc0x320000x1c9d40x1cc005b3e8f48de8a05507379330b3cf331a7False0.23725373641304348data2.6063301335912525IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                .reloc0x500000xc0x400f921873e0b7f3fe3399366376917ef43False0.025390625data0.05390218305374581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                Resources

                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                RT_ICON0x321a00x3d04PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9934058898847631
                                                                                                                                                RT_ICON0x35eb40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.09013072282030049
                                                                                                                                                RT_ICON0x466ec0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.13905290505432216
                                                                                                                                                RT_ICON0x4a9240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.17033195020746889
                                                                                                                                                RT_ICON0x4cedc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.2045028142589118
                                                                                                                                                RT_ICON0x4df940x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.24645390070921985
                                                                                                                                                RT_GROUP_ICON0x4e40c0x5adata0.7666666666666667
                                                                                                                                                RT_VERSION0x4e4780x35adata0.4417249417249417
                                                                                                                                                RT_MANIFEST0x4e7e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                Imports

                                                                                                                                                DLLImport
                                                                                                                                                mscoree.dll_CorExeMain

                                                                                                                                                Network Behavior

                                                                                                                                                Snort IDS Alerts

                                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                04/24/24-14:27:04.417356TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)263049730103.113.70.99192.168.2.4
                                                                                                                                                04/24/24-14:26:58.880918TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)497302630192.168.2.4103.113.70.99
                                                                                                                                                04/24/24-14:27:11.399846TCP2043231ET TROJAN Redline Stealer TCP CnC Activity497302630192.168.2.4103.113.70.99
                                                                                                                                                04/24/24-14:26:59.108894TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response263049730103.113.70.99192.168.2.4

                                                                                                                                                Network Port Distribution

                                                                                                                                                TCP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Apr 24, 2024 14:26:58.376689911 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:26:58.597362995 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:26:58.597574949 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:26:58.606741905 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:26:58.847655058 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:26:58.880918026 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:26:59.108894110 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:26:59.152460098 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:04.173125982 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:04.417356014 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:04.417375088 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:04.417387009 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:04.417393923 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:04.417414904 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:04.417499065 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:04.464941978 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:04.550640106 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:04.820612907 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:04.875916958 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:04.886518002 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:05.108470917 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:05.108499050 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:05.108513117 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:05.108707905 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:05.109575033 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:05.114157915 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:05.334954023 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:05.386831045 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:05.394545078 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:05.614743948 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:05.614784002 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:05.614803076 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:05.614820957 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:05.614943027 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:05.615020037 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:05.615104914 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:05.615828991 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:05.668076992 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.047282934 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.278096914 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.290587902 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.339921951 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.451994896 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.672363043 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.672468901 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.672564030 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.672610998 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.672637939 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.672653913 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.672677040 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.672715902 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.672813892 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.672878027 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.672902107 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.672947884 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.672955990 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.673002005 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.673091888 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.673166037 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.673383951 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.673446894 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.673526049 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.673573017 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.673588991 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.673628092 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.673696995 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.673762083 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.673818111 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.673887014 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.674016953 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.674083948 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.674101114 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.674160004 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.674308062 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.674369097 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.674436092 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.674515963 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.894922972 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.894994974 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.895040035 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.895217896 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.895365953 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.895385981 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.895479918 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.895550013 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.896866083 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.896960020 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:06.897223949 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:06.897347927 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:07.115726948 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.115747929 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.115768909 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.116020918 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.116183996 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.116297007 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.116408110 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.116583109 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.116739035 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.116971970 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.117043018 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.117151976 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.117403984 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.117568016 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.117670059 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.117778063 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.117824078 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.117856026 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.117973089 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.118144035 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.118669033 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.118968964 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:07.119146109 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:07.119884014 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.119949102 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.119983912 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.120140076 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.121084929 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.121164083 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.121180058 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.121242046 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.121710062 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.121804953 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.121875048 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.121892929 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.122132063 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.122203112 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.122462034 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:07.122584105 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:07.352596998 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.352708101 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.353087902 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.353529930 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.353746891 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.353817940 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.353872061 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.354118109 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.354208946 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.354207039 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:07.354388952 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:07.354418993 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.354477882 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.354578018 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.354593039 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.354754925 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.354769945 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.354876995 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.355209112 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:07.355348110 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:07.584726095 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.584753990 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.584860086 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.585055113 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.585225105 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.585483074 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.585589886 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.585606098 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.585630894 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.585887909 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.585895061 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:07.585968018 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.586016893 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.586082935 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:07.586199999 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.586401939 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.586652040 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:07.586760998 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:07.827348948 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.839394093 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.839540958 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.839567900 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.839720964 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.839773893 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.839876890 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.840012074 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.840122938 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:07.840173960 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.840256929 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:07.840394974 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:08.066809893 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:08.067055941 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:08.067162037 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:08.067333937 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:08.067509890 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:08.070734024 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:08.075124979 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:08.296367884 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:08.301059008 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:08.521739960 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:08.523138046 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:08.743813038 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:08.794384956 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:08.799320936 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:09.032887936 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:09.035561085 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:09.280891895 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:09.324299097 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:09.414216995 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:09.641150951 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:09.646511078 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:09.877763033 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:09.904062033 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:10.124735117 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:10.139179945 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:10.361572027 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:10.364269972 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:10.592441082 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:10.595978022 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:10.826086044 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:10.871201992 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:10.909518957 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:11.164067030 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:11.164844990 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:11.398585081 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:11.399846077 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:11.621273994 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 14:27:11.668039083 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 14:27:11.678188086 CEST497302630192.168.2.4103.113.70.99

                                                                                                                                                Statistics

                                                                                                                                                CPU Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                Memory Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                System Behavior

                                                                                                                                                General

                                                                                                                                                Target ID:0
                                                                                                                                                Start time:14:26:55
                                                                                                                                                Start date:24/04/2024
                                                                                                                                                Path:C:\Users\user\Desktop\gm5v3JlTMk.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\Desktop\gm5v3JlTMk.exe"
                                                                                                                                                Imagebase:0xbc0000
                                                                                                                                                File size:312'891 bytes
                                                                                                                                                MD5 hash:79FC20C78E45D10F5F6D3F12C736B8D5
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1641741658.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1792581225.0000000003198000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1792581225.0000000003261000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                Disassembly

                                                                                                                                                Reset < >

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:7.6%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                  Total number of Nodes:52
                                                                                                                                                  Total number of Limit Nodes:7
                                                                                                                                                  execution_graph 29062 177ad38 29066 177ae30 29062->29066 29074 177ae20 29062->29074 29063 177ad47 29067 177ae41 29066->29067 29068 177ae64 29066->29068 29067->29068 29082 177b0c8 29067->29082 29086 177b0b8 29067->29086 29068->29063 29069 177ae5c 29069->29068 29070 177b068 GetModuleHandleW 29069->29070 29071 177b095 29070->29071 29071->29063 29075 177ae64 29074->29075 29076 177ae41 29074->29076 29075->29063 29076->29075 29080 177b0c8 LoadLibraryExW 29076->29080 29081 177b0b8 LoadLibraryExW 29076->29081 29077 177ae5c 29077->29075 29078 177b068 GetModuleHandleW 29077->29078 29079 177b095 29078->29079 29079->29063 29080->29077 29081->29077 29083 177b0dc 29082->29083 29085 177b101 29083->29085 29090 177a870 29083->29090 29085->29069 29087 177b0dc 29086->29087 29088 177a870 LoadLibraryExW 29087->29088 29089 177b101 29087->29089 29088->29089 29089->29069 29091 177b2a8 LoadLibraryExW 29090->29091 29093 177b321 29091->29093 29093->29085 29094 177d0b8 29095 177d0fe 29094->29095 29099 177d289 29095->29099 29103 177d298 29095->29103 29096 177d1eb 29100 177d298 29099->29100 29106 177c9a0 29100->29106 29104 177c9a0 DuplicateHandle 29103->29104 29105 177d2c6 29104->29105 29105->29096 29107 177d300 DuplicateHandle 29106->29107 29108 177d2c6 29107->29108 29108->29096 29109 1774668 29110 1774684 29109->29110 29111 1774696 29110->29111 29113 17747a0 29110->29113 29114 17747c5 29113->29114 29118 17748a1 29114->29118 29122 17748b0 29114->29122 29120 17748d7 29118->29120 29119 17749b4 29119->29119 29120->29119 29126 1774248 29120->29126 29123 17748d7 29122->29123 29124 17749b4 29123->29124 29125 1774248 CreateActCtxA 29123->29125 29125->29124 29127 1775940 CreateActCtxA 29126->29127 29129 1775a03 29127->29129

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 06803F50 Relevance: 1.8, Strings: 1, Instructions: 529COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 620 6803f50-6803f84 625 6803f92-6803fa5 620->625 626 6803f86-6803f8f 620->626 627 6804215-6804219 625->627 628 6803fab-6803fae 625->628 626->625 631 680421b-680422b 627->631 632 680422e-6804238 627->632 629 6803fb0-6803fb5 628->629 630 6803fbd-6803fc9 628->630 629->630 634 6804253-6804266 630->634 635 6803fcf-6803fe1 630->635 631->632 639 6804268-680426a 634->639 640 680426d-680426e 634->640 641 6803fe7-680403a 635->641 642 680414d-680415b 635->642 646 6804271-6804274 639->646 647 680426c 639->647 644 6804270 640->644 645 6804275-6804299 640->645 674 680404a 641->674 675 680403c-6804048 call 6803c88 641->675 651 68041e0-68041e2 642->651 652 6804161-680416f 642->652 644->646 653 68042a8-68042d0 645->653 654 680429b-68042a5 645->654 646->645 647->640 658 68041f0-68041fc 651->658 659 68041e4-68041ea 651->659 656 6804171-6804176 652->656 657 680417e-680418a 652->657 676 6804425-6804443 653->676 677 68042d6-68042ef 653->677 654->653 656->657 657->634 662 6804190-68041bf 657->662 668 68041fe-680420f 658->668 660 68041ec 659->660 661 68041ee 659->661 660->658 661->658 680 68041d0-68041de 662->680 681 68041c1-68041ce 662->681 668->627 668->628 682 680404c-680405c 674->682 675->682 693 6804445-6804467 676->693 694 68044ae-68044b8 676->694 695 68042f5-680430b 677->695 696 6804406-680441f 677->696 680->627 681->680 690 6804077-6804079 682->690 691 680405e-6804075 682->691 697 68040c2-68040c4 690->697 698 680407b-6804089 690->698 691->690 717 68044b9-68044c2 693->717 718 6804469-6804485 693->718 695->696 719 6804311-680435f 695->719 696->676 696->677 699 68040d2-68040e2 697->699 700 68040c6-68040d0 697->700 698->697 706 680408b-680409d 698->706 714 68040e4-68040f2 699->714 715 680410d-6804113 call 6804aff 699->715 700->699 713 680411b-6804127 700->713 721 68040a3-68040a7 706->721 722 680409f-68040a1 706->722 713->668 729 680412d-6804148 713->729 725 68040f4-6804103 714->725 726 6804105-6804108 714->726 724 6804119 715->724 733 68044c4-68044c8 717->733 734 68044c9-68044ca 717->734 732 68044a9-68044ac 718->732 759 6804361-6804387 719->759 760 6804389-68043ad 719->760 727 68040ad-68040bc 721->727 722->727 724->713 725->713 726->627 727->697 745 6804239-680424c 727->745 729->627 732->694 740 6804493-6804496 732->740 733->734 735 68044d1-68044d4 734->735 736 68044cc-68044ce 734->736 743 68044d5-680450a 735->743 742 68044d0 736->742 736->743 740->717 744 6804498-68044a8 740->744 742->735 757 680452a-6804568 743->757 758 680450c-6804528 743->758 744->732 745->634 758->757 759->760 773 68043df-68043f8 760->773 774 68043af-68043c6 760->774 776 6804403-6804404 773->776 777 68043fa 773->777 781 68043d2-68043dd 774->781 782 68043c8-68043cb 774->782 776->696 777->776 781->773 781->774 782->781
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $qq
                                                                                                                                                  • API String ID: 0-87942743
                                                                                                                                                  • Opcode ID: 054df31e218e467037ee2bd9d3d6d1068d6daaacc3257dd919da5dbbe78f01aa
                                                                                                                                                  • Instruction ID: 5b90d4b7a00ebdef23f330224de3b2ab7cdbe579f3f6f07c85658d8a674c950d
                                                                                                                                                  • Opcode Fuzzy Hash: 054df31e218e467037ee2bd9d3d6d1068d6daaacc3257dd919da5dbbe78f01aa
                                                                                                                                                  • Instruction Fuzzy Hash: 14128074B00215DFDB94DF68C854A6EBBF6BF88700B158569EA05EB3A5DB30DC41CB90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 068067D8 Relevance: .4, Instructions: 419COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2b53ce662a6dc0ec73b201ae9ddca50264870f128896da93355dd731aa4fcee0
                                                                                                                                                  • Instruction ID: d139dd2608a843f2f3134fc826f0e68cf0e85e54f07703fe29848cc7a7f31a9f
                                                                                                                                                  • Opcode Fuzzy Hash: 2b53ce662a6dc0ec73b201ae9ddca50264870f128896da93355dd731aa4fcee0
                                                                                                                                                  • Instruction Fuzzy Hash: 72F1C671A002199FDB55DF68D880B9EBBF2FF45310F148969E509EB2A1EB30DC95CB90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680A3D8 Relevance: .3, Instructions: 297COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d4439a663f414fa62edc55b260425629efa231f2caaeccbf15ddcbaaa80e5cf4
                                                                                                                                                  • Instruction ID: 50e5c0e774e70e581605ea18ff471e47fe6383a1f5463e0056c6e919a015e9a4
                                                                                                                                                  • Opcode Fuzzy Hash: d4439a663f414fa62edc55b260425629efa231f2caaeccbf15ddcbaaa80e5cf4
                                                                                                                                                  • Instruction Fuzzy Hash: FBD1F670900318CFDB18EFB4D844AADBBB2FF8A301F2085ADD51AAB294DB355885CF11
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680A3E8 Relevance: .3, Instructions: 289COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1dbe666b2bbb49e9513f86895d42fc803dec0090b0f8d24c4de3e20315080dbe
                                                                                                                                                  • Instruction ID: 2b2251d953e00bed159a03c4277bf84bdde1b02473164a0d7b9bb6e105b736ba
                                                                                                                                                  • Opcode Fuzzy Hash: 1dbe666b2bbb49e9513f86895d42fc803dec0090b0f8d24c4de3e20315080dbe
                                                                                                                                                  • Instruction Fuzzy Hash: 5CD1E670900318CFDB18EFB5D854AADBBB2FF8A301F1085ADD51AAB254DB359985CF11
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F0D80 Relevance: 20.6, Strings: 16, Instructions: 626COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 294 67f0d80-67f0dcb 300 67f0efd-67f0f10 294->300 301 67f0dd1-67f0dd3 294->301 305 67f1006-67f1011 300->305 306 67f0f16-67f0f25 300->306 302 67f0dd6-67f0de5 301->302 308 67f0e9d-67f0ea1 302->308 309 67f0deb-67f0e1d 302->309 307 67f1019-67f1022 305->307 315 67f0f2b-67f0f51 306->315 316 67f0fd1-67f0fd5 306->316 310 67f0ea3-67f0eae 308->310 311 67f0eb0 308->311 346 67f0e1f-67f0e24 309->346 347 67f0e26-67f0e2d 309->347 314 67f0eb5-67f0eb8 310->314 311->314 314->307 320 67f0ebe-67f0ec2 314->320 342 67f0f5a-67f0f61 315->342 343 67f0f53-67f0f58 315->343 317 67f0fd7-67f0fe2 316->317 318 67f0fe4 316->318 322 67f0fe6-67f0fe8 317->322 318->322 323 67f0ec4-67f0ecf 320->323 324 67f0ed1 320->324 328 67f0fea-67f0ff4 322->328 329 67f1039-67f1051 322->329 326 67f0ed3-67f0ed5 323->326 324->326 331 67f0edb-67f0ee5 326->331 332 67f1025-67f1032 326->332 337 67f0ff7-67f1000 328->337 354 67f1094-67f10b5 329->354 355 67f1053-67f1093 329->355 344 67f0ee8-67f0ef2 331->344 332->329 337->305 337->306 350 67f0f86-67f0faa 342->350 351 67f0f63-67f0f84 342->351 349 67f0fc5-67f0fcf 343->349 344->302 348 67f0ef8 344->348 356 67f0e91-67f0e9b 346->356 352 67f0e2f-67f0e50 347->352 353 67f0e52-67f0e76 347->353 348->307 349->337 373 67f0fac-67f0fb2 350->373 374 67f0fc2 350->374 351->349 352->356 375 67f0e8e 353->375 376 67f0e78-67f0e7e 353->376 371 67f10bb-67f10bd 354->371 372 67f1189-67f119c 354->372 355->354 356->344 381 67f10c0-67f10cf 371->381 384 67f1234-67f123f 372->384 385 67f11a2-67f11b1 372->385 377 67f0fb6-67f0fb8 373->377 378 67f0fb4 373->378 374->349 375->356 379 67f0e82-67f0e84 376->379 380 67f0e80 376->380 377->374 378->374 379->375 380->375 386 67f1129-67f112d 381->386 387 67f10d1-67f10fe 381->387 388 67f1247-67f1250 384->388 392 67f11ff-67f1203 385->392 393 67f11b3-67f11dc 385->393 389 67f112f-67f113a 386->389 390 67f113c 386->390 409 67f1104-67f1106 387->409 395 67f1141-67f1144 389->395 390->395 397 67f1205-67f1210 392->397 398 67f1212 392->398 417 67f11de-67f11e4 393->417 418 67f11f4-67f11fd 393->418 395->388 399 67f114a-67f114e 395->399 402 67f1214-67f1216 397->402 398->402 400 67f115d 399->400 401 67f1150-67f115b 399->401 407 67f115f-67f1161 400->407 401->407 405 67f1218-67f1222 402->405 406 67f1267-67f127d 402->406 422 67f1225-67f122e 405->422 431 67f127f-67f1294 406->431 432 67f12c0 406->432 412 67f1167-67f1171 407->412 413 67f1253-67f1260 407->413 414 67f111e-67f1127 409->414 415 67f1108-67f110e 409->415 429 67f1174-67f117e 412->429 413->406 414->429 420 67f1112-67f1114 415->420 421 67f1110 415->421 423 67f11e8-67f11ea 417->423 424 67f11e6 417->424 418->422 420->414 421->414 422->384 422->385 423->418 424->418 429->381 433 67f1184 429->433 434 67f1296-67f12af 431->434 435 67f12c4-67f12c5 431->435 432->435 433->388 436 67f12c7-67f12e9 434->436 438 67f12b1-67f12b7 434->438 435->436 443 67f12ec-67f12f0 436->443 440 67f12bb-67f12bd 438->440 441 67f12b9 438->441 440->432 441->436 444 67f12f9-67f12fe 443->444 445 67f12f2-67f12f7 443->445 446 67f1304-67f1307 444->446 445->446 447 67f130d-67f1322 446->447 448 67f14f8-67f1500 446->448 447->443 450 67f1324 447->450 451 67f132b-67f1350 450->451 452 67f1498-67f14b9 450->452 453 67f13e0-67f1405 450->453 463 67f1356-67f135a 451->463 464 67f1352-67f1354 451->464 457 67f14bf-67f14f3 452->457 465 67f140b-67f140f 453->465 466 67f1407-67f1409 453->466 457->443 470 67f135c-67f1379 463->470 471 67f137b-67f139e 463->471 469 67f13b8-67f13db 464->469 467 67f1411-67f142e 465->467 468 67f1430-67f1453 465->468 473 67f146d-67f1493 466->473 467->473 487 67f146b 468->487 488 67f1455-67f145b 468->488 469->443 470->469 489 67f13b6 471->489 490 67f13a0-67f13a6 471->490 473->443 487->473 491 67f145f-67f1461 488->491 492 67f145d 488->492 489->469 493 67f13aa-67f13ac 490->493 494 67f13a8 490->494 491->487 492->487 493->489 494->489
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1805989098.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_67f0000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $qq$$qq$$qq$$qq$$qq$$qq$$qq$$qq$$qq$$qq$$qq$$qq$$qq$$qq$$qq$$qq
                                                                                                                                                  • API String ID: 0-3343575084
                                                                                                                                                  • Opcode ID: fd18a6ef0a1d4bb14b292ed7925958b74f6b6074a75a11de153323891dbef962
                                                                                                                                                  • Instruction ID: 0b396efe9f00d8131bc6d0b4266ede41f338d269d4a0e371629bbc222604b391
                                                                                                                                                  • Opcode Fuzzy Hash: fd18a6ef0a1d4bb14b292ed7925958b74f6b6074a75a11de153323891dbef962
                                                                                                                                                  • Instruction Fuzzy Hash: 8232AD30B20205DFDB559B69C854A7ABBF6BF89310F15845AEA06DB3A2CF34DC41CB91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F1582 Relevance: 7.8, Strings: 6, Instructions: 336COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 495 67f1582-67f1584 496 67f158e 495->496 497 67f1598-67f15af 496->497 498 67f15b5-67f15b7 497->498 499 67f15cf-67f15f1 498->499 500 67f15b9-67f15bf 498->500 505 67f1638-67f163f 499->505 501 67f15c3-67f15c5 500->501 502 67f15c1 500->502 501->499 502->499 506 67f1645-67f1747 505->506 507 67f1571-67f1580 505->507 507->495 510 67f15f3-67f15f7 507->510 511 67f15f9-67f1604 510->511 512 67f1606 510->512 514 67f160b-67f160e 511->514 512->514 514->506 517 67f1610-67f1614 514->517 518 67f1616-67f1621 517->518 519 67f1623 517->519 520 67f1625-67f1627 518->520 519->520 522 67f162d-67f1637 520->522 523 67f174a-67f17a7 520->523 522->505 530 67f17bf-67f17e1 523->530 531 67f17a9-67f17af 523->531 536 67f17e4-67f17e8 530->536 532 67f17b3-67f17b5 531->532 533 67f17b1 531->533 532->530 533->530 537 67f17ea-67f17ef 536->537 538 67f17f1-67f17f6 536->538 539 67f17fc-67f17ff 537->539 538->539 540 67f1abf-67f1ac7 539->540 541 67f1805-67f181a 539->541 541->536 543 67f181c 541->543 544 67f18d8-67f198b 543->544 545 67f1a07-67f1a2c 543->545 546 67f1823-67f18d3 543->546 547 67f1990-67f19bd 543->547 544->536 562 67f1a2e-67f1a30 545->562 563 67f1a32-67f1a36 545->563 546->536 568 67f1b36-67f1b71 547->568 569 67f19c3-67f19cd 547->569 567 67f1a94-67f1aba 562->567 570 67f1a38-67f1a55 563->570 571 67f1a57-67f1a7a 563->571 567->536 572 67f19d3-67f1a02 569->572 573 67f1b00-67f1b2f 569->573 570->567 590 67f1a7c-67f1a82 571->590 591 67f1a92 571->591 572->536 573->568 593 67f1a86-67f1a88 590->593 594 67f1a84 590->594 591->567 593->591 594->591
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1805989098.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_67f0000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $qq$$qq$$qq$$qq$$qq$$qq
                                                                                                                                                  • API String ID: 0-1822695862
                                                                                                                                                  • Opcode ID: 0a1963e8d41a2e2f2a84a2148b799e96433c095b27cb8482752955050213a4f2
                                                                                                                                                  • Instruction ID: 98bddbcec9c163ac35b320a92dca3e34ff6155c7ca7908ac42b8d285a31c3100
                                                                                                                                                  • Opcode Fuzzy Hash: 0a1963e8d41a2e2f2a84a2148b799e96433c095b27cb8482752955050213a4f2
                                                                                                                                                  • Instruction Fuzzy Hash: 27C1E230B24205DFDB559BB9C894A3EB7E6EF99300F508469E6068B3A2DF75DC01C791
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0177AE30 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 785 177ae30-177ae3f 786 177ae41-177ae4e call 1779838 785->786 787 177ae6b-177ae6f 785->787 794 177ae64 786->794 795 177ae50 786->795 788 177ae83-177aec4 787->788 789 177ae71-177ae7b 787->789 796 177aec6-177aece 788->796 797 177aed1-177aedf 788->797 789->788 794->787 842 177ae56 call 177b0c8 795->842 843 177ae56 call 177b0b8 795->843 796->797 798 177af03-177af05 797->798 799 177aee1-177aee6 797->799 801 177af08-177af0f 798->801 802 177aef1 799->802 803 177aee8-177aeef call 177a814 799->803 800 177ae5c-177ae5e 800->794 804 177afa0-177afb7 800->804 805 177af11-177af19 801->805 806 177af1c-177af23 801->806 808 177aef3-177af01 802->808 803->808 818 177afb9-177b018 804->818 805->806 809 177af25-177af2d 806->809 810 177af30-177af39 call 177a824 806->810 808->801 809->810 816 177af46-177af4b 810->816 817 177af3b-177af43 810->817 819 177af4d-177af54 816->819 820 177af69-177af76 816->820 817->816 836 177b01a-177b060 818->836 819->820 821 177af56-177af66 call 177a834 call 177a844 819->821 825 177af99-177af9f 820->825 826 177af78-177af96 820->826 821->820 826->825 837 177b062-177b065 836->837 838 177b068-177b093 GetModuleHandleW 836->838 837->838 839 177b095-177b09b 838->839 840 177b09c-177b0b0 838->840 839->840 842->800 843->800
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0177B086
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1789009970.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_1770000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                  • Opcode ID: 5680119e196de6a37d511a4c93d18473b46dc56f6e21f55b16ee9b48c09d1d77
                                                                                                                                                  • Instruction ID: a363668da3d0afcfab44a2711b11b307c483f629eca5bb416389dd97f7b17757
                                                                                                                                                  • Opcode Fuzzy Hash: 5680119e196de6a37d511a4c93d18473b46dc56f6e21f55b16ee9b48c09d1d77
                                                                                                                                                  • Instruction Fuzzy Hash: 608125B0A00B458FEB25DF29D44475AFBF1FF88204F04892DE58AD7A90D775E949CB90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 01775935 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 844 1775935-177593e 845 1775940-1775a01 CreateActCtxA 844->845 847 1775a03-1775a09 845->847 848 1775a0a-1775a64 845->848 847->848 855 1775a66-1775a69 848->855 856 1775a73-1775a77 848->856 855->856 857 1775a79-1775a85 856->857 858 1775a88 856->858 857->858 860 1775a89 858->860 860->860
                                                                                                                                                  APIs
                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 017759F1
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1789009970.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_1770000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Create
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                  • Opcode ID: d3002ffb3e3aafb8cfb85125e175a3cb90c5b570ce226b92b67af34d315e2094
                                                                                                                                                  • Instruction ID: 93fe2f206fb40238a3bf1729b50f6fcf72d7d46a448dad9af11b3b1cf5afc26c
                                                                                                                                                  • Opcode Fuzzy Hash: d3002ffb3e3aafb8cfb85125e175a3cb90c5b570ce226b92b67af34d315e2094
                                                                                                                                                  • Instruction Fuzzy Hash: C441E1B0D0031DCADB24DFA9C884B8EFBB5FF49304F20806AD509AB251DB756A49CF90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 01774248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 861 1774248-1775a01 CreateActCtxA 864 1775a03-1775a09 861->864 865 1775a0a-1775a64 861->865 864->865 872 1775a66-1775a69 865->872 873 1775a73-1775a77 865->873 872->873 874 1775a79-1775a85 873->874 875 1775a88 873->875 874->875 877 1775a89 875->877 877->877
                                                                                                                                                  APIs
                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 017759F1
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1789009970.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_1770000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Create
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                  • Opcode ID: 66a0d3a16d3011db5f0061edef8ad2262613a56d03eb06f12a8942b7550e69da
                                                                                                                                                  • Instruction ID: 641bcfb1f915ed8fe8c7b11da2bc3623568ca8d39235ca341d7c7c56982f8cd2
                                                                                                                                                  • Opcode Fuzzy Hash: 66a0d3a16d3011db5f0061edef8ad2262613a56d03eb06f12a8942b7550e69da
                                                                                                                                                  • Instruction Fuzzy Hash: A641F1B0D0071DCADB24DFA9C884B8EFBB5FF49304F20806AD519AB251DB756A45CF90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0177C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 878 177c9a0-177d394 DuplicateHandle 880 177d396-177d39c 878->880 881 177d39d-177d3ba 878->881 880->881
                                                                                                                                                  APIs
                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0177D2C6,?,?,?,?,?), ref: 0177D387
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1789009970.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_1770000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                  • Opcode ID: 17dcb7ece5df8ceceb4d2bbd16f7f1256205d621ca4f701d046d1e4fede012a5
                                                                                                                                                  • Instruction ID: 85e10e0481df385f3da300431ae03de465f4518c56e2e567237373ebad12948f
                                                                                                                                                  • Opcode Fuzzy Hash: 17dcb7ece5df8ceceb4d2bbd16f7f1256205d621ca4f701d046d1e4fede012a5
                                                                                                                                                  • Instruction Fuzzy Hash: BB21D2B5900248DFDB10CFAAD984AEEFBF9EF48310F14845AE918A7250D374A954CFA4
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0177D2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 884 177d2f9-177d2fe 885 177d300-177d394 DuplicateHandle 884->885 886 177d396-177d39c 885->886 887 177d39d-177d3ba 885->887 886->887
                                                                                                                                                  APIs
                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0177D2C6,?,?,?,?,?), ref: 0177D387
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1789009970.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_1770000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                  • Opcode ID: cad9d010b80d00f3e94f0b1224a51f7070611d252e96b9a9bb2dd9337f09aea1
                                                                                                                                                  • Instruction ID: c63a763c9115801a0e53e2612b3192093b0ff1b8f5b4dc51a219265bef9c7daa
                                                                                                                                                  • Opcode Fuzzy Hash: cad9d010b80d00f3e94f0b1224a51f7070611d252e96b9a9bb2dd9337f09aea1
                                                                                                                                                  • Instruction Fuzzy Hash: DC21D4B5900349DFDB10CFAAD484ADEBBF9EB48310F14841AE918A3250D374A954CF65
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0177A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 890 177a870-177b2e8 892 177b2f0-177b31f LoadLibraryExW 890->892 893 177b2ea-177b2ed 890->893 894 177b321-177b327 892->894 895 177b328-177b345 892->895 893->892 894->895
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0177B101,00000800,00000000,00000000), ref: 0177B312
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1789009970.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_1770000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                  • Opcode ID: 4367d7f0bdf52f98c8cf973a2261d06df8e3bac0b182d14088b27bf0f96e8f96
                                                                                                                                                  • Instruction ID: 21deb47cbbeb3af379102351cbc60e0779ac15901b30648579e1c906fdd3aa4d
                                                                                                                                                  • Opcode Fuzzy Hash: 4367d7f0bdf52f98c8cf973a2261d06df8e3bac0b182d14088b27bf0f96e8f96
                                                                                                                                                  • Instruction Fuzzy Hash: C11114B68043499FDB10CF9AC448ADEFBF8EF88310F10842ED919A7210C375A544CFA4
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0177B2A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 898 177b2a0-177b2e8 899 177b2f0-177b31f LoadLibraryExW 898->899 900 177b2ea-177b2ed 898->900 901 177b321-177b327 899->901 902 177b328-177b345 899->902 900->899 901->902
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0177B101,00000800,00000000,00000000), ref: 0177B312
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1789009970.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_1770000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                  • Opcode ID: 9278ed1f9299ec93d2623158f0b84c21ffc5f982b2c773f3eef7b32fb685d46e
                                                                                                                                                  • Instruction ID: c2c2d28b767b3d6dcd3ffe42d3b29c7212c902e68d860fd1e0a2ebfd7b5251d5
                                                                                                                                                  • Opcode Fuzzy Hash: 9278ed1f9299ec93d2623158f0b84c21ffc5f982b2c773f3eef7b32fb685d46e
                                                                                                                                                  • Instruction Fuzzy Hash: 961126B68003498FDB14DF9AC444ADEFFF4EF88310F14842AD919A7211C375A545CFA4
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0177B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 905 177b020-177b060 906 177b062-177b065 905->906 907 177b068-177b093 GetModuleHandleW 905->907 906->907 908 177b095-177b09b 907->908 909 177b09c-177b0b0 907->909 908->909
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0177B086
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1789009970.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_1770000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                  • Opcode ID: 71bae35689b14d13496e1496f24f17ddfcc88bf0804b5c85a23a0d924e04b562
                                                                                                                                                  • Instruction ID: 6a0afd01522a253921df769f6507dcb13c4f9fb85bdb383e95240c16465a9fe4
                                                                                                                                                  • Opcode Fuzzy Hash: 71bae35689b14d13496e1496f24f17ddfcc88bf0804b5c85a23a0d924e04b562
                                                                                                                                                  • Instruction Fuzzy Hash: 2311D2B5C00349CFDB14DF9AC444A9EFBF4EB89214F10846AD529A7210C375A545CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F1BA0 Relevance: 1.4, Instructions: 1445COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 911 67f1ba0-67f1bc3 913 67f1bc5-67f1bc7 911->913 914 67f1bd1-67f1c2d 911->914 913->914 919 67f2056-67f205d 914->919 920 67f1c33-67f1c69 914->920 923 67f205f-67f2071 919->923 924 67f20a0 919->924 920->919 937 67f1c6f-67f1ca5 920->937 926 67f2035-67f2039 923->926 927 67f2073-67f2074 923->927 928 67f20a5-67f20a6 924->928 926->919 929 67f203b-67f2053 926->929 927->928 930 67f2076-67f209e 927->930 931 67f20aa-67f20b4 928->931 932 67f20a8 928->932 930->924 934 67f20b6-67f2119 930->934 931->934 932->934 950 67f211f-67f2139 934->950 951 67f2ea1-67f2eb6 934->951 937->919 944 67f1cab-67f1ce2 937->944 944->919 954 67f1ce8-67f1d1e 944->954 950->951 956 67f213f-67f216f 950->956 957 67f2ebe-67f2ee8 951->957 958 67f2eb8-67f2ebc 951->958 954->919 971 67f1d24-67f1d5a 954->971 973 67f2189-67f21d5 956->973 974 67f2171-67f2187 956->974 959 67f2eea-67f2ef0 957->959 960 67f2f00-67f2f78 957->960 958->957 962 67f2ef4-67f2efe 959->962 963 67f2ef2 959->963 984 67f2f7a-67f2fa0 960->984 985 67f2fa2-67f2fa9 960->985 962->960 963->960 971->919 989 67f1d60-67f1d9e 971->989 987 67f21dc-67f21f9 973->987 974->987 984->985 987->951 994 67f21ff-67f2235 987->994 989->919 1000 67f1da4-67f1ded 989->1000 1003 67f224f-67f229b 994->1003 1004 67f2237-67f224d 994->1004 1000->919 1018 67f1df3-67f1e29 1000->1018 1011 67f22a2-67f22bf 1003->1011 1004->1011 1011->951 1015 67f22c5-67f22fb 1011->1015 1025 67f22fd-67f2313 1015->1025 1026 67f2315-67f2361 1015->1026 1018->919 1027 67f1e2f-67f1e65 1018->1027 1033 67f2368-67f2385 1025->1033 1026->1033 1027->919 1038 67f1e6b-67f1ea1 1027->1038 1033->951 1040 67f238b-67f23c1 1033->1040 1038->919 1049 67f1ea7-67f1edd 1038->1049 1047 67f23db-67f2427 1040->1047 1048 67f23c3-67f23d9 1040->1048 1056 67f242e-67f244b 1047->1056 1048->1056 1049->919 1060 67f1ee3-67f1efa 1049->1060 1056->951 1062 67f2451-67f2487 1056->1062 1060->919 1065 67f1f00-67f1f32 1060->1065 1070 67f2489-67f249f 1062->1070 1071 67f24a1-67f24f9 1062->1071 1073 67f1f5c-67f1f9e 1065->1073 1074 67f1f34-67f1f5a 1065->1074 1081 67f2500-67f251d 1070->1081 1071->1081 1093 67f1fbc-67f1fc8 1073->1093 1094 67f1fa0-67f1fb6 1073->1094 1090 67f1fce-67f2001 1074->1090 1081->951 1089 67f2523-67f2559 1081->1089 1099 67f255b-67f2571 1089->1099 1100 67f2573-67f25d1 1089->1100 1090->919 1102 67f2003-67f2033 1090->1102 1093->1090 1094->1093 1108 67f25d8-67f25f5 1099->1108 1100->1108 1102->926 1108->951 1114 67f25fb-67f2631 1108->1114 1118 67f264b-67f26a9 1114->1118 1119 67f2633-67f2649 1114->1119 1124 67f26b0-67f26cd 1118->1124 1119->1124 1124->951 1127 67f26d3-67f2709 1124->1127 1132 67f270b-67f2721 1127->1132 1133 67f2723-67f2781 1127->1133 1138 67f2788-67f27a5 1132->1138 1133->1138 1138->951 1142 67f27ab-67f27c5 1138->1142 1142->951 1144 67f27cb-67f27fb 1142->1144 1148 67f27fd-67f2813 1144->1148 1149 67f2815-67f2873 1144->1149 1154 67f287a-67f2897 1148->1154 1149->1154 1154->951 1158 67f289d-67f28b7 1154->1158 1158->951 1160 67f28bd-67f28ed 1158->1160 1164 67f28ef-67f2905 1160->1164 1165 67f2907-67f2965 1160->1165 1170 67f296c-67f2989 1164->1170 1165->1170 1170->951 1173 67f298f-67f29a9 1170->1173 1173->951 1176 67f29af-67f29df 1173->1176 1180 67f29f9-67f2a57 1176->1180 1181 67f29e1-67f29f7 1176->1181 1186 67f2a5e-67f2a7b 1180->1186 1181->1186 1186->951 1190 67f2a81-67f2ab7 1186->1190 1194 67f2ab9-67f2acf 1190->1194 1195 67f2ad1-67f2b2f 1190->1195 1200 67f2b36-67f2b53 1194->1200 1195->1200 1200->951 1204 67f2b59-67f2b8f 1200->1204 1208 67f2ba9-67f2c07 1204->1208 1209 67f2b91-67f2ba7 1204->1209 1214 67f2c0e-67f2c2b 1208->1214 1209->1214 1214->951 1217 67f2c31-67f2c67 1214->1217 1222 67f2c69-67f2c7f 1217->1222 1223 67f2c81-67f2cdf 1217->1223 1228 67f2ce6-67f2d03 1222->1228 1223->1228 1228->951 1232 67f2d09-67f2d3f 1228->1232 1236 67f2d59-67f2db7 1232->1236 1237 67f2d41-67f2d57 1232->1237 1242 67f2dbe-67f2ddb 1236->1242 1237->1242 1242->951 1245 67f2de1-67f2e13 1242->1245 1250 67f2e2d-67f2e82 1245->1250 1251 67f2e15-67f2e2b 1245->1251 1256 67f2e89-67f2e9e 1250->1256 1251->1256
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1805989098.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_67f0000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c35b75ab7ad59453d941c006c9625d6d01940a35967055ae5be2820243fbcede
                                                                                                                                                  • Instruction ID: f0384aa247442e626d5b70a92427c7673874a4592e17238c2105ddc288011a91
                                                                                                                                                  • Opcode Fuzzy Hash: c35b75ab7ad59453d941c006c9625d6d01940a35967055ae5be2820243fbcede
                                                                                                                                                  • Instruction Fuzzy Hash: BCC24F70B102189FCB54DF64C855EADBBB6FF88700F118099E61A9B3A2DB719E41CF91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06803DE0 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1260 6803de0-6803deb 1263 6803e10-6803e48 1260->1263 1264 6803ded-6803dfe 1260->1264 1273 6803ea4-6803eab 1263->1273 1274 6803e4a 1263->1274 1267 6803e00-6803e05 1264->1267 1268 6803e0c-6803e0f 1264->1268 1267->1268 1277 6803eac-6803eb4 1273->1277 1275 6803e51-6803e52 1274->1275 1276 6803e4c-6803e50 1274->1276 1278 6803e54 1275->1278 1279 6803e59-6803e71 1275->1279 1276->1275 1276->1277 1278->1279
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4'qq
                                                                                                                                                  • API String ID: 0-1915349394
                                                                                                                                                  • Opcode ID: e512d94872b57350da98b5e8bcc820a49319b68f9d297e1cced64bcc9aa4382b
                                                                                                                                                  • Instruction ID: 4f455a45f85c661d53da4b467965f332b4c192ee2953a309a8fcd3ffd74e6bb2
                                                                                                                                                  • Opcode Fuzzy Hash: e512d94872b57350da98b5e8bcc820a49319b68f9d297e1cced64bcc9aa4382b
                                                                                                                                                  • Instruction Fuzzy Hash: 40315131B143524FCB66AB78A8504AE7BE2DFC661031949BEE509CFB91DE20DC47C7A1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 068084D8 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4'qq
                                                                                                                                                  • API String ID: 0-1915349394
                                                                                                                                                  • Opcode ID: a8c2eec6927ff6a535dd1686aa66be267b56658dba1e227d556a0e7919dd1bad
                                                                                                                                                  • Instruction ID: 4a86de98615b9c2b00589df23dd3a3c603b443469a9d649e1100aaffa1331998
                                                                                                                                                  • Opcode Fuzzy Hash: a8c2eec6927ff6a535dd1686aa66be267b56658dba1e227d556a0e7919dd1bad
                                                                                                                                                  • Instruction Fuzzy Hash: 6B318E717002169BCF09EB79A8A867F7AE7EFC8201B504439D60ACB385EE35DC4697D1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 068084C8 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4'qq
                                                                                                                                                  • API String ID: 0-1915349394
                                                                                                                                                  • Opcode ID: 9f26b227bd18a39311585f690244f6ff146bd393d12907948436ba7bc1bbc669
                                                                                                                                                  • Instruction ID: 67f7aca748ffb223d8d6eadcccd5da4cd2e6c8680e91f0dfbd5087b67fd92148
                                                                                                                                                  • Opcode Fuzzy Hash: 9f26b227bd18a39311585f690244f6ff146bd393d12907948436ba7bc1bbc669
                                                                                                                                                  • Instruction Fuzzy Hash: FC21B470B003169BCF49AB78A46863F7AE7AFC9201B50483DD60ACB385EE75DC4597D1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680B358 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4'qq
                                                                                                                                                  • API String ID: 0-1915349394
                                                                                                                                                  • Opcode ID: c8784a37a5861d77d08b349538d4d13af16793b26a406e5255a089e5cbeb70de
                                                                                                                                                  • Instruction ID: b0954c0521d3b774040e862b3763f0b505b17a8c1c92d33e1abc990682b39627
                                                                                                                                                  • Opcode Fuzzy Hash: c8784a37a5861d77d08b349538d4d13af16793b26a406e5255a089e5cbeb70de
                                                                                                                                                  • Instruction Fuzzy Hash: 9201D23090A28AEFCB05EF78D88455CBFB1FF56241B1444EED68597741DA341D88CB51
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680B368 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4'qq
                                                                                                                                                  • API String ID: 0-1915349394
                                                                                                                                                  • Opcode ID: 3cebb0afb6205a686cc95690a6a7072028cd9076356abaa2cd38f7f081c8e7d1
                                                                                                                                                  • Instruction ID: 9c72959715f1521f047b9f7a0143be74366fd746ff4242a5eb27062da5adc16d
                                                                                                                                                  • Opcode Fuzzy Hash: 3cebb0afb6205a686cc95690a6a7072028cd9076356abaa2cd38f7f081c8e7d1
                                                                                                                                                  • Instruction Fuzzy Hash: F6F04F74A0520AEFCB04EFB8E88455CBBB2FB94206F1485BDDA09A7714DB341E48CB90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F45D0 Relevance: .9, Instructions: 942COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1805989098.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_67f0000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6391afdf926331cb647ddb8bb300a8686ae42a0941d3aebe02abf216eceb7163
                                                                                                                                                  • Instruction ID: 807637615522e6339a8a6543acd5f86521a781ca5d67545ac7bfd0dbe5747a03
                                                                                                                                                  • Opcode Fuzzy Hash: 6391afdf926331cb647ddb8bb300a8686ae42a0941d3aebe02abf216eceb7163
                                                                                                                                                  • Instruction Fuzzy Hash: 37427030B102449FCB44DF69C954E6BBBF6EF89710B15809AE616DB3A6CB71DC01CBA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F3928 Relevance: .7, Instructions: 713COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1805989098.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_67f0000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a99eea4dcaa5d801e748f1427c7b87f082af109d688bf227a6febfaea60e7ba8
                                                                                                                                                  • Instruction ID: 0b506c2956d7098680963b7104d98e888c3402e64f68fd33ff17784e6e8bd5a9
                                                                                                                                                  • Opcode Fuzzy Hash: a99eea4dcaa5d801e748f1427c7b87f082af109d688bf227a6febfaea60e7ba8
                                                                                                                                                  • Instruction Fuzzy Hash: C3523C74B102149FCB44CF69C994EAABBF6FF89704F118099E506DB3A2DA71ED40CB90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F00D8 Relevance: .7, Instructions: 676COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1805989098.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_67f0000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 27bdde4798b2e7e8771f7dfa6f9bc6b16440c248cc337eb953ee09ca376849d0
                                                                                                                                                  • Instruction ID: 8d059190ed56d31d39c3ddc3cc8973a3e8a061c4e24e1d8e8aa11d26e5dbb60b
                                                                                                                                                  • Opcode Fuzzy Hash: 27bdde4798b2e7e8771f7dfa6f9bc6b16440c248cc337eb953ee09ca376849d0
                                                                                                                                                  • Instruction Fuzzy Hash: 474278707206298FCB64DB78D450A2EBAF2FFC5705B40496CD6079B792CB7AEC058B85
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F00B8 Relevance: .3, Instructions: 338COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1805989098.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_67f0000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2c028047fcb33a236f41f915c12ec3686327679f357c519e73cb70baf1d732a3
                                                                                                                                                  • Instruction ID: 3789248199d0a4f9de80b51eaf4ec603b4ca56c856c85a13901740a27ecc5bef
                                                                                                                                                  • Opcode Fuzzy Hash: 2c028047fcb33a236f41f915c12ec3686327679f357c519e73cb70baf1d732a3
                                                                                                                                                  • Instruction Fuzzy Hash: 06C16B34B212049FDB44DB65C869B797AF6FF89704F108069EA029B3A7CB75DC41CB91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F0756 Relevance: .3, Instructions: 307COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1805989098.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_67f0000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1b666d9231d5be69ae21daf1fcf4bfcf2731c424e1e2d8b3fa06e7d478eaf444
                                                                                                                                                  • Instruction ID: 3bdc25bd9b53753ddcd42e9c6155d6a4d7b6fda916e1348f01ca62bfd151129c
                                                                                                                                                  • Opcode Fuzzy Hash: 1b666d9231d5be69ae21daf1fcf4bfcf2731c424e1e2d8b3fa06e7d478eaf444
                                                                                                                                                  • Instruction Fuzzy Hash: 8DB15E34B212049FDB44DB65C869F3976E6FF89704F108069EA029B3A7CB76DD41CB91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F0666 Relevance: .3, Instructions: 306COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1805989098.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_67f0000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cbbd3b647d45a9bac1839ca5fbba645e9506631fcb6cc7397bc809749393cc3f
                                                                                                                                                  • Instruction ID: 9626f644da4cad2562817cda03c9d1b254171de50924bdca6c60c8c465306c9c
                                                                                                                                                  • Opcode Fuzzy Hash: cbbd3b647d45a9bac1839ca5fbba645e9506631fcb6cc7397bc809749393cc3f
                                                                                                                                                  • Instruction Fuzzy Hash: 5CB15D34B212049FDB84DB65C869F3976E6FF89704F108069EA029B3A7CB76DD41CB91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F06DE Relevance: .3, Instructions: 306COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1805989098.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_67f0000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2496553ec8a9d03cf560e758da8b0f5bc29ef001155bc5f6815e628c591a4060
                                                                                                                                                  • Instruction ID: 47f63659dae1ae90ecfd9b6730ee05797966e212d227d759bf204a97737a65db
                                                                                                                                                  • Opcode Fuzzy Hash: 2496553ec8a9d03cf560e758da8b0f5bc29ef001155bc5f6815e628c591a4060
                                                                                                                                                  • Instruction Fuzzy Hash: 14B15D34B212049FDB44DB65C869F3976E6FF89704F108069EA029B3A7CB76DD41CB91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F05EE Relevance: .3, Instructions: 304COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1805989098.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_67f0000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d3bb6cb71f9e2015cd350a597c35f8d3a2415e3e18bc291b2aa0516dd06cc4df
                                                                                                                                                  • Instruction ID: 7c7372c006d0778f1d2e799f066254f5b72f98f9897c347e7c6aba0246d8d36c
                                                                                                                                                  • Opcode Fuzzy Hash: d3bb6cb71f9e2015cd350a597c35f8d3a2415e3e18bc291b2aa0516dd06cc4df
                                                                                                                                                  • Instruction Fuzzy Hash: 1CB15D34B212049FDB44DB65C869F3976E6FF89704F108069EA029B3A7CB76DD41CB91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06804AFF Relevance: .3, Instructions: 295COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 09f48a67424a515a9b63066e1f553d3734afa24b2e6667f6168a3647749de110
                                                                                                                                                  • Instruction ID: fc4ff3b4321bc3a3b3a965ce8bb7d74e10e49912f35670662ba5ea5e42f9dae3
                                                                                                                                                  • Opcode Fuzzy Hash: 09f48a67424a515a9b63066e1f553d3734afa24b2e6667f6168a3647749de110
                                                                                                                                                  • Instruction Fuzzy Hash: AAC12878B00605CFD754DF69C884AAEBBF2BF89301B1585A9E606DB3A1DB30EC45CB50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06803F3F Relevance: .2, Instructions: 182COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 51bd500cf07e79e7dd377cc9a334c725814a2a800301b77d2cb512b71f5d6da3
                                                                                                                                                  • Instruction ID: b98d103f11753cbfd5f57e072669b759886d5713474a9f46da2207e71d96ec5e
                                                                                                                                                  • Opcode Fuzzy Hash: 51bd500cf07e79e7dd377cc9a334c725814a2a800301b77d2cb512b71f5d6da3
                                                                                                                                                  • Instruction Fuzzy Hash: 15616370F00215CFDB94DF69C8546AEBBF6BF98200B158569DA09E73A5DB70DC41CBA0
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06806408 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7e602519e909694177dddb233030d9c9a4aa1b0a1c192827f646d1ea6448802a
                                                                                                                                                  • Instruction ID: 543caadeaf8ccf65dcc2b5d55f5967b99d9f2cc4146db872111189e37e612303
                                                                                                                                                  • Opcode Fuzzy Hash: 7e602519e909694177dddb233030d9c9a4aa1b0a1c192827f646d1ea6448802a
                                                                                                                                                  • Instruction Fuzzy Hash: EC51A575B002059FDB94DF69D88099EBBF5FF88314B1588AAD505D7361EB30EC41CB90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06807D58 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: dc6911cb0add07a17e26695be41982278ccefc8c56b50e34f7c1be7f777b9143
                                                                                                                                                  • Instruction ID: 1f20a11ab2eb07c1ec8c77d4bee92e1a764196f80a38488d65aeb0a04ad72d00
                                                                                                                                                  • Opcode Fuzzy Hash: dc6911cb0add07a17e26695be41982278ccefc8c56b50e34f7c1be7f777b9143
                                                                                                                                                  • Instruction Fuzzy Hash: 515136B0E00258CFEB95CFA9C884BDEBBF5AF48700F148929D515EB294DB74A945CF80
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06807D4C Relevance: .1, Instructions: 131COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f692e62e5a29d1a3b4236a9f6746902bdecfbd516565c7cf51caa975713730cc
                                                                                                                                                  • Instruction ID: 7558bfc8d0d236f06eac08bc366bfa2a52aec553be5d0d1ed043a9106783d33b
                                                                                                                                                  • Opcode Fuzzy Hash: f692e62e5a29d1a3b4236a9f6746902bdecfbd516565c7cf51caa975713730cc
                                                                                                                                                  • Instruction Fuzzy Hash: B65158B0E00249CFEB95CFA9C884BDEBBF5AF48700F148829D515EB294DB74A845CF80
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680E8B0 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 52928439f98273895892e975f81f86c28d53d7c2fbe5a1bd65e6dc42acc02c1f
                                                                                                                                                  • Instruction ID: 9204b23a9e62c66d63f6716eb47bcb7fe5ca033250be4aeeddd57a13df5e4bf6
                                                                                                                                                  • Opcode Fuzzy Hash: 52928439f98273895892e975f81f86c28d53d7c2fbe5a1bd65e6dc42acc02c1f
                                                                                                                                                  • Instruction Fuzzy Hash: 3C411975A083458FCB569F78D81456E7FB2FF96300F5488AEE580CB392D6358D05CB91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 068059C8 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0fc1b93d300eaef48bacd7bbfe57b2d8e9c414b40f6b086653a1d1dd10892a60
                                                                                                                                                  • Instruction ID: 6f259ba2c6401bc03a336b345d3b436da8b529271662ebd6e565fd6e5b240e86
                                                                                                                                                  • Opcode Fuzzy Hash: 0fc1b93d300eaef48bacd7bbfe57b2d8e9c414b40f6b086653a1d1dd10892a60
                                                                                                                                                  • Instruction Fuzzy Hash: FF415935A006068FDB54CF58C98096ABBF2FF89310B558969E559DB2A1D730F801CFA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06806E90 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: aad07b086f2b5d2e941615cd5429dfd298eaf3bdc91bf6cdd7f8be2ba959a15a
                                                                                                                                                  • Instruction ID: c92821ccff79ebc4658ef02ed4f2c37771fcf8505753207f5558a8eb85e0a97e
                                                                                                                                                  • Opcode Fuzzy Hash: aad07b086f2b5d2e941615cd5429dfd298eaf3bdc91bf6cdd7f8be2ba959a15a
                                                                                                                                                  • Instruction Fuzzy Hash: 414126B5505F948FC725CF2EC480897FFF4AF99210B04896EE9DA83B22D270E944CB61
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06805579 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2af0017c5cb5c546d845a8a55a6369cd67438dd5c7de2e975ab765c736a74ae7
                                                                                                                                                  • Instruction ID: dfab9826a62659a9bff84a816101c643ee87e1aaf88d7d9ce2dcc3f4dbc87d52
                                                                                                                                                  • Opcode Fuzzy Hash: 2af0017c5cb5c546d845a8a55a6369cd67438dd5c7de2e975ab765c736a74ae7
                                                                                                                                                  • Instruction Fuzzy Hash: DC318B78B012109FDB55DF38D88496E7BB2FF89201B44886AE905CB396DB30DD06CBA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06805588 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7b231a1b5cb2633af8cbf87e41538d60102f8224a54e406459ff7d906bf5d77f
                                                                                                                                                  • Instruction ID: 01bc92dd5cbc6c094fb8b6414f815df74d8941dd543ae40187c82bfbd4b64b7c
                                                                                                                                                  • Opcode Fuzzy Hash: 7b231a1b5cb2633af8cbf87e41538d60102f8224a54e406459ff7d906bf5d77f
                                                                                                                                                  • Instruction Fuzzy Hash: 96318978B012119FDB45DF38D88496EBBB6FF89341B508869E905CB395DB30ED02CBA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 068087A0 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4bff9639451e3396f5166b9c1c7183fb22fd02de56d29d1146ed4c6167a235c2
                                                                                                                                                  • Instruction ID: c8183cea966b2287fb70cab6fba410f0aa1f24da011dd43fccb5d437dc91038e
                                                                                                                                                  • Opcode Fuzzy Hash: 4bff9639451e3396f5166b9c1c7183fb22fd02de56d29d1146ed4c6167a235c2
                                                                                                                                                  • Instruction Fuzzy Hash: 474102B1D01248DFEF58DFAAD944ADEFBB6AF88310F10842AD415B7294DB34A945CF90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06808795 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f6e5c45a0f50c6d979304a2ee11e1c0697580df0404dacd7366735fafc0881ae
                                                                                                                                                  • Instruction ID: c77a963fd13f547b495b622169579a5bb543999efb586cb13cb339dce235bd71
                                                                                                                                                  • Opcode Fuzzy Hash: f6e5c45a0f50c6d979304a2ee11e1c0697580df0404dacd7366735fafc0881ae
                                                                                                                                                  • Instruction Fuzzy Hash: 423112B1D012489FEF58DFAAC944ADEBBF6AF88300F14842AD415AB294DB749985CF50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F37BB Relevance: .1, Instructions: 78COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1805989098.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_67f0000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3591f13cc17ce79d9703f01886d2431c4a8abea8112eb5f94814956315efbb19
                                                                                                                                                  • Instruction ID: a161d736a900b4a035b5c0932880b61c7d5e4d5d3e83d9771e3bd97be2c59ed3
                                                                                                                                                  • Opcode Fuzzy Hash: 3591f13cc17ce79d9703f01886d2431c4a8abea8112eb5f94814956315efbb19
                                                                                                                                                  • Instruction Fuzzy Hash: 8B213075B501049FCB54DF65D584EA9BBB2EF88714F1580A5FA059F3A1DA31EC01CB50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F30FB Relevance: .1, Instructions: 78COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1805989098.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_67f0000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 647b20222942d249ed9565b5cc602a1fab1b756ce2252fef4afe3f0c7bb0b3b8
                                                                                                                                                  • Instruction ID: 8f30e9120c885468f20f860691641edad11ad2a2aa3e8e52d8b06d459e43eb52
                                                                                                                                                  • Opcode Fuzzy Hash: 647b20222942d249ed9565b5cc602a1fab1b756ce2252fef4afe3f0c7bb0b3b8
                                                                                                                                                  • Instruction Fuzzy Hash: 02214135B501049FCB54DF69D984EA9BBB2FF88714F1680A5FA059F3A2DA31EC05CB90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F360B Relevance: .1, Instructions: 78COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1805989098.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_67f0000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2d1b273ccb8585561728a9e1e1e8a373eca27f92e80c23b49ec159e0520e283a
                                                                                                                                                  • Instruction ID: 9a8d1efde33e071715eb109d9ae00b745c837ad460c23838eb01f60782e0f266
                                                                                                                                                  • Opcode Fuzzy Hash: 2d1b273ccb8585561728a9e1e1e8a373eca27f92e80c23b49ec159e0520e283a
                                                                                                                                                  • Instruction Fuzzy Hash: 39214135B411149FCB54DF65D984DAABBB2FF88714F1180A5FA0A9F3A2DA31EC05CB50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06808A98 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b93dd86d4dbf5c4dadf7b12300807fa1ebb388120dfed5763ace5e8f4cb59543
                                                                                                                                                  • Instruction ID: be84a4f22620901ec6ab6c55547d542babeeab235a49e2d2fd0935ff410c2f11
                                                                                                                                                  • Opcode Fuzzy Hash: b93dd86d4dbf5c4dadf7b12300807fa1ebb388120dfed5763ace5e8f4cb59543
                                                                                                                                                  • Instruction Fuzzy Hash: F53112B1D01258DFDF54DFA9D894ADEBBF9AF48310F24842AE409E7380CB74A945CB90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 012FD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1788614728.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_12fd000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c1923af3198586ea920a285523dff2f1b75c566d6bba386741fc4da3026045b3
                                                                                                                                                  • Instruction ID: 4b2c81d5c2fe918885b6adba7296c22f58ee7dc0354facf25287a70e69079941
                                                                                                                                                  • Opcode Fuzzy Hash: c1923af3198586ea920a285523dff2f1b75c566d6bba386741fc4da3026045b3
                                                                                                                                                  • Instruction Fuzzy Hash: D92102B5510209DFDB05DF48C9C4B56FB65FB94324F20C56CDA0A0A246C336E416CAA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0130D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1788637772.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_130d000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 18eb313da3a44c8f46d86b53b098594ca46a25483bf7d52f5431e681d3a8e78a
                                                                                                                                                  • Instruction ID: 1ff379c544e343caf6a5fe6d88cff6b95a4844b1efe68e0556137811e986ab58
                                                                                                                                                  • Opcode Fuzzy Hash: 18eb313da3a44c8f46d86b53b098594ca46a25483bf7d52f5431e681d3a8e78a
                                                                                                                                                  • Instruction Fuzzy Hash: 5C210371604204DFDB16DF98D894B16BBE5FB84318F20C56DD80E4B786C336D407CA61
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06808F43 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9fcd5b1cecc96e6e43505d88358ef24fa7b5add850a362aa81dcff4b8e001bd1
                                                                                                                                                  • Instruction ID: acb31a1c17719c47fca3c02b84cafc55341699296edf6a96b444d0512c682066
                                                                                                                                                  • Opcode Fuzzy Hash: 9fcd5b1cecc96e6e43505d88358ef24fa7b5add850a362aa81dcff4b8e001bd1
                                                                                                                                                  • Instruction Fuzzy Hash: A621FEB4E0120ADFDF80DFA8D8846ADBBB4FB08311F1044AAE915E7390D3745A81CF80
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06808A8C Relevance: .1, Instructions: 68COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 86421f342d1e9e2b09265be1a9dd1f77d6a11329103e1a034b417a05cc833c84
                                                                                                                                                  • Instruction ID: 4fb802067ea70084972e498800bde718ce123cbe3ffc95ced873a8cfc1e570e4
                                                                                                                                                  • Opcode Fuzzy Hash: 86421f342d1e9e2b09265be1a9dd1f77d6a11329103e1a034b417a05cc833c84
                                                                                                                                                  • Instruction Fuzzy Hash: 472135B1D01248DFEF54DFA9C895B9EBBF9AF08300F24842AE404E7380CB749985CB50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06805498 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7ed7fd2b4f0ebd8cdb65c4a716f9c5818ea75ad3e23314c5a7e1611fab678d19
                                                                                                                                                  • Instruction ID: 21cf107454b505d40d235d3103a76bc58605b569e973f53d7bce7a2ce5faa449
                                                                                                                                                  • Opcode Fuzzy Hash: 7ed7fd2b4f0ebd8cdb65c4a716f9c5818ea75ad3e23314c5a7e1611fab678d19
                                                                                                                                                  • Instruction Fuzzy Hash: 22117B34A08B508FE7F28A244E401BE7BB29F82205B088C9AD141C65E6D175E481CB63
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 012FD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1788614728.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_12fd000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                  • Instruction ID: 03e38820ab5bc20717997455d1a05b91d47e883232222b35e1429fa90f5a035f
                                                                                                                                                  • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                  • Instruction Fuzzy Hash: F011CA76504285CFDB02CF44D9C4B56BF72FB84224F24C2ADDA090A656C33AE45ACBA2
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680BC5F Relevance: .1, Instructions: 54COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0ca9a5bcab1e02d4850b76930c867641dd37b04e2f1e9fe28b1a73c2dad7d334
                                                                                                                                                  • Instruction ID: 2291b9667ff66f4ba22600e4c7cac965eb5fe124b522aa99668646e71c7d9410
                                                                                                                                                  • Opcode Fuzzy Hash: 0ca9a5bcab1e02d4850b76930c867641dd37b04e2f1e9fe28b1a73c2dad7d334
                                                                                                                                                  • Instruction Fuzzy Hash: 1611A1312102134FC7A6AB34A85497DBBE3EFE22467544C2DE64BC7B40DD30688BC791
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0130D017 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1788637772.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_130d000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                                                                                  • Instruction ID: e386d63d023d2c68435b9ea0c7873dd9379ad65e30e450a9a22913bdb9689a06
                                                                                                                                                  • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                                                                                  • Instruction Fuzzy Hash: D311BE75504280CFDB12CF54D5D4B15BBA2FB44328F24C6A9D8094B696C33AD40ACB62
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06808350 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7d51a058cf31acf8d6b260119cc52307827714286737c072338dd32e089d8f3a
                                                                                                                                                  • Instruction ID: 0f332c214c891faf551c58a8311fe7726ea19742f8e508ef54db2ac327302a6a
                                                                                                                                                  • Opcode Fuzzy Hash: 7d51a058cf31acf8d6b260119cc52307827714286737c072338dd32e089d8f3a
                                                                                                                                                  • Instruction Fuzzy Hash: 63018871B102199BDF54DE69DC84ABFF7BAFBC8251F148036E604D3240DF30991597A1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680C499 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 363960f3c6c78accd975bf4d7b76ba8517592104a85b7de0317ffd2b2a6992fe
                                                                                                                                                  • Instruction ID: e22fd1b2a047775f14ecfec716bc82fd7f98b7fbc14614d179ae584acd6b1e26
                                                                                                                                                  • Opcode Fuzzy Hash: 363960f3c6c78accd975bf4d7b76ba8517592104a85b7de0317ffd2b2a6992fe
                                                                                                                                                  • Instruction Fuzzy Hash: B811A0302047058FD321AF65E80466ABBE2EF96302B10892ED18A87684CB749C4ACB91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680BC70 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f79c861766488bad9eace3310099252b46f40a0255b680e62bc1bc1f2f97ef68
                                                                                                                                                  • Instruction ID: 5f5904a3d600d687dd18152d9c1196200a29fc34c0e438a257b4f5bca9f3d719
                                                                                                                                                  • Opcode Fuzzy Hash: f79c861766488bad9eace3310099252b46f40a0255b680e62bc1bc1f2f97ef68
                                                                                                                                                  • Instruction Fuzzy Hash: 3D015E312102174F86A5A738E45493EBAA3FFF1296754482DE60B87B40DD70798A8791
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 012FDAA5 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1788614728.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_12fd000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d7d46ae984d432b056a5e78e47e3c8e5158e204de0e4997acd6e4a6f2342c4e7
                                                                                                                                                  • Instruction ID: 056dc22892a75b0bd3483eb0e76c6a518b02c20f82ba47f864a8a18e2652863e
                                                                                                                                                  • Opcode Fuzzy Hash: d7d46ae984d432b056a5e78e47e3c8e5158e204de0e4997acd6e4a6f2342c4e7
                                                                                                                                                  • Instruction Fuzzy Hash: 5C01F7711183489AE7119E69CC88727FFE8EF51321F08C86EEF190A282C7799844C771
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680C4A8 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: caafde6d7057d66bd98e92cab18e024b16b8f816433c3ca61253313be838813e
                                                                                                                                                  • Instruction ID: 338c4d177934bf546070ed78e4f3f86b14c7b7af89ae46db7b96527cf659d9b4
                                                                                                                                                  • Opcode Fuzzy Hash: caafde6d7057d66bd98e92cab18e024b16b8f816433c3ca61253313be838813e
                                                                                                                                                  • Instruction Fuzzy Hash: 310180742002098FD324AF65D44466AB7E3FBD9312B108A2DD24A87744CF74AC4ACB91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06805508 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 53f95e239603777d12430655046b532ad9d834a1e3197bdac4236b640914be09
                                                                                                                                                  • Instruction ID: c9202d94a294e880fb2b3bbd31f8c6949f0cf428dfca259bf0e9eaf3fbafd73e
                                                                                                                                                  • Opcode Fuzzy Hash: 53f95e239603777d12430655046b532ad9d834a1e3197bdac4236b640914be09
                                                                                                                                                  • Instruction Fuzzy Hash: A401A238A11711CFEBE48A29AA0562B77F7BF842097048C29E506C6594DB71E480DFA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06808F50 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9bfff7f84ec269d239c653b51007c1226e5b12f941ab4aec70f05d3b36f4c809
                                                                                                                                                  • Instruction ID: 8476b5dcf391e15a785427d937864a6ec7bdbebf00745d08d17408a4e8eabf96
                                                                                                                                                  • Opcode Fuzzy Hash: 9bfff7f84ec269d239c653b51007c1226e5b12f941ab4aec70f05d3b36f4c809
                                                                                                                                                  • Instruction Fuzzy Hash: 7A01C4B4D05209EFDB84DFA9D9456AEFBF5BB48301F1084AAD915E3380E7740A80CF90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 068067C8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7d917d29e83b2aa83ec9eed050bce0f0d10e8ddd8f3e226c0fee6a9688165354
                                                                                                                                                  • Instruction ID: a4cd9aa3776de358bf1c473f88648e24325c2489f71eaa0be6f5657f45090cfd
                                                                                                                                                  • Opcode Fuzzy Hash: 7d917d29e83b2aa83ec9eed050bce0f0d10e8ddd8f3e226c0fee6a9688165354
                                                                                                                                                  • Instruction Fuzzy Hash: 0BF0F031B403005BE7A08A28AC04F597FE49B42711F148A66F314CB1E2E6B1E885A740
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 012FDAA4 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1788614728.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_12fd000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9f084a37a45c4a8722b161694148e52e077ba4686d36be2e2862e08261440f37
                                                                                                                                                  • Instruction ID: 90e7d74a4b58a0ee7da451f4a0ff9e1363de34f54d2187bf9f8c4b1dbaac0dd5
                                                                                                                                                  • Opcode Fuzzy Hash: 9f084a37a45c4a8722b161694148e52e077ba4686d36be2e2862e08261440f37
                                                                                                                                                  • Instruction Fuzzy Hash: 69F0C2720043489EE7118E1ACC88B62FFE8EB41634F18C45EEE084B296C379A844CAB0
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06806EA0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 42b5b85ada9de9e030cdf93845d73a645a8c757c9e6b62995e96781c61b310f8
                                                                                                                                                  • Instruction ID: e6799098e7dae1ef2031fe80d5cd74cdece96668543c6b31a90e891e476f7b69
                                                                                                                                                  • Opcode Fuzzy Hash: 42b5b85ada9de9e030cdf93845d73a645a8c757c9e6b62995e96781c61b310f8
                                                                                                                                                  • Instruction Fuzzy Hash: 7AF037762041E83F8B518E9A5C10CFB7FEDDA8E161B09416AFFD8D2142C529CD61EBB0
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680ADE9 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c1dc96244f2e3e289fab01cec9ef3536dbaeaa6dd3c9c03517ded086f9481011
                                                                                                                                                  • Instruction ID: 00277b60e3a5ba3e71b0e3120266cc779f8daafdedfe5269ed89be32ddac1f3d
                                                                                                                                                  • Opcode Fuzzy Hash: c1dc96244f2e3e289fab01cec9ef3536dbaeaa6dd3c9c03517ded086f9481011
                                                                                                                                                  • Instruction Fuzzy Hash: DDF0EC712052515FC3556F69A884AAFBFE6EFCB251F40486EE25EC3246CA35084DC771
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06808340 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 90e6a8418d0defc49aafb6cde63d9cabc0943f79733ef2f961a5068ccd980ad5
                                                                                                                                                  • Instruction ID: 185f37c8b1542e27b128abe6146becbd051dec8a9a8e6a6a3e6d7693e69120af
                                                                                                                                                  • Opcode Fuzzy Hash: 90e6a8418d0defc49aafb6cde63d9cabc0943f79733ef2f961a5068ccd980ad5
                                                                                                                                                  • Instruction Fuzzy Hash: 01F0E971B143155BDF509A69AC44ABF7FE9EFC5251F09443AE944C3240EB309400C792
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680C110 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 635924f3e70c9987914f524676075168b292da70bf97ba338e61802ffd941c1f
                                                                                                                                                  • Instruction ID: 9acfe0da3948d6a518451cb1b090a1f7ea423a0df41a99173f6e99982ade8cef
                                                                                                                                                  • Opcode Fuzzy Hash: 635924f3e70c9987914f524676075168b292da70bf97ba338e61802ffd941c1f
                                                                                                                                                  • Instruction Fuzzy Hash: 81F0F6302097E14FC3229739EC1465A7FE6DF97205F08089EE2C6C7652CBA55D49C7A2
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680C170 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 83c7832df1bebb1f176c971c0576f4326fdd05e3fdc9b0ab5f2959af22c44015
                                                                                                                                                  • Instruction ID: d04557ba5f14d07359f5f26021905ca8feedaaa2df6d3ba089b235b707ac1ec9
                                                                                                                                                  • Opcode Fuzzy Hash: 83c7832df1bebb1f176c971c0576f4326fdd05e3fdc9b0ab5f2959af22c44015
                                                                                                                                                  • Instruction Fuzzy Hash: 8201D131505B428FD326DF26E848121BFF2FF89300740C92EE4CA83A55CB34A48ACF40
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06808FC0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 68679cc379e0c718a52b0e448e2d0bf4991a74e15bd6e42cb9591eaf3a22c095
                                                                                                                                                  • Instruction ID: cd4e99a3c2bedd5a2cbf0384afb61aa25cf2f0664958306c8ffdd831c965562c
                                                                                                                                                  • Opcode Fuzzy Hash: 68679cc379e0c718a52b0e448e2d0bf4991a74e15bd6e42cb9591eaf3a22c095
                                                                                                                                                  • Instruction Fuzzy Hash: 2EF0CDF1D09249DFEF80CFB4C8061ADBFB0EB2A201F0046C6E806E7391E2784A41CB40
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680ACB8 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: eaa4c7c066d38dd06d6b8015432b6767730e5b1963c5e92de6127e4545dfe65e
                                                                                                                                                  • Instruction ID: 9f46e84d0a3cb48355dbe1a6ebcea80d22a9a184819821b7a8009d55806336c2
                                                                                                                                                  • Opcode Fuzzy Hash: eaa4c7c066d38dd06d6b8015432b6767730e5b1963c5e92de6127e4545dfe65e
                                                                                                                                                  • Instruction Fuzzy Hash: B0F027F67092618FD3571B786C181BC3FA6EA9A25230408DFD287CB296CA244507C3E1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 068054F8 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: fe2ce6baf508abfa19571f4d6ffeab8fef0b0d97c80c283441792178fa20ebf5
                                                                                                                                                  • Instruction ID: b5da45acbc692f1cf0c04db2febf4702493de79b7be6e62135477845d780c5d4
                                                                                                                                                  • Opcode Fuzzy Hash: fe2ce6baf508abfa19571f4d6ffeab8fef0b0d97c80c283441792178fa20ebf5
                                                                                                                                                  • Instruction Fuzzy Hash: E2F02439500B01CFEBE4CE31DA01B6B7BF2AF80315F088C6DE442869A5D6B4E484CF50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680ADF8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e4dd8449c54158c93647773b703f772b207126cfa971962c61dd4a89d1a05af7
                                                                                                                                                  • Instruction ID: 8cba8d1a7a7ef5276756e36ef7cf3004ae325feed634bc51bdd55a11ad4c9bb6
                                                                                                                                                  • Opcode Fuzzy Hash: e4dd8449c54158c93647773b703f772b207126cfa971962c61dd4a89d1a05af7
                                                                                                                                                  • Instruction Fuzzy Hash: 53E012712041116BC7146A9AA489AAFBADAEBC9751F40453DE20EC3645CE61580587B5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06805698 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5da65ccbda671eb1b828a081c59c65c07eb3797b4685544684418ffff9df8746
                                                                                                                                                  • Instruction ID: 63bbcc9d38f2e97fe0bb3bfb7216f31d29f08b3e9885ffe8622f57052f7c6af7
                                                                                                                                                  • Opcode Fuzzy Hash: 5da65ccbda671eb1b828a081c59c65c07eb3797b4685544684418ffff9df8746
                                                                                                                                                  • Instruction Fuzzy Hash: 3CE06DB210D2119FE341DA20AC4489B7BE8EFA1220B158C7EE544C7281E671D842CB66
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680C180 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1741fbf06a0277c20c00340f2630d4f67ee707b4eae4875abea76c46b17e80e5
                                                                                                                                                  • Instruction ID: 770f639f1fefda8e0fae07e10ca38277a0bb451e50558e33e44483e6f1bdc1e5
                                                                                                                                                  • Opcode Fuzzy Hash: 1741fbf06a0277c20c00340f2630d4f67ee707b4eae4875abea76c46b17e80e5
                                                                                                                                                  • Instruction Fuzzy Hash: BFF09034500B069FD725DF26E448522FBF6FB88300700C62EE58A82B14DB75A549CF84
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680B500 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: faa593d0edccf098d838f7f6cf92bae9bb0fb81bd267980d19ed84133409929c
                                                                                                                                                  • Instruction ID: 01a71d37a57d3dd3704a3c02f1746c7047e58ac789de3cf0af3c47b10d681c11
                                                                                                                                                  • Opcode Fuzzy Hash: faa593d0edccf098d838f7f6cf92bae9bb0fb81bd267980d19ed84133409929c
                                                                                                                                                  • Instruction Fuzzy Hash: 14F01535D0120DAFDB01DFB4E9489CDBFB9EB44204F1082AAD945E2240EA305B55CB81
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680C120 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e6e49adfd61ee2230139693e4790efcc964793073c719a1f6f4b0892fe8a1ff1
                                                                                                                                                  • Instruction ID: a9046da1a34ff0d6c3ef0e5b957f38081f963a9e454901962f057cd1e4716e12
                                                                                                                                                  • Opcode Fuzzy Hash: e6e49adfd61ee2230139693e4790efcc964793073c719a1f6f4b0892fe8a1ff1
                                                                                                                                                  • Instruction Fuzzy Hash: D0E065302047654FC721E72DE8487AE7FE6EF99315F04492EE34687741CBB5AC458791
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680CC38 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bf02d6f7b2f9c0ad3853520f20c8fa97f50aae56c6432fc576fed966a20b3ae0
                                                                                                                                                  • Instruction ID: 31dd6f74dfafaf2dd912b5e72aa9aff0c000e7ad3ce2894df0d898e00bf5bfe6
                                                                                                                                                  • Opcode Fuzzy Hash: bf02d6f7b2f9c0ad3853520f20c8fa97f50aae56c6432fc576fed966a20b3ae0
                                                                                                                                                  • Instruction Fuzzy Hash: 32E092312056928FD762DF24F8409E97FA0DB52211B0545BBD080D7E52C63C0C4A87D6
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680E280 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e842ad354d0db137cc86a355b47bf6ee9cbe56b5e9ad6f59d245d1430f5e21cf
                                                                                                                                                  • Instruction ID: fc95f383474ab602d29dbf8904103753d8af809ebc8c3742e9a7420129e4f41a
                                                                                                                                                  • Opcode Fuzzy Hash: e842ad354d0db137cc86a355b47bf6ee9cbe56b5e9ad6f59d245d1430f5e21cf
                                                                                                                                                  • Instruction Fuzzy Hash: B9E020715002134FD7459B20FD415453BA1E75A340B010077E40197EE4CA3C0D45C7D6
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680CE88 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ae19b56b802d868afb995baccb4515a24d51455d6dd6977359c08f92c3311ab4
                                                                                                                                                  • Instruction ID: 93b3b4e4fca267d26ee6d1ce41af0dac11ef3c2ca2e332fd7d787930fd94d6fb
                                                                                                                                                  • Opcode Fuzzy Hash: ae19b56b802d868afb995baccb4515a24d51455d6dd6977359c08f92c3311ab4
                                                                                                                                                  • Instruction Fuzzy Hash: 3CE092B05093D3EFDB52DB24B4449683FA0DB42100B1509BAD88097E55C67C0C45C785
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680E1FF Relevance: .0, Instructions: 22COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9e360b2e13bc8ed89e0bdec12fdc321eef4a1223eed11fdcf3c0c9d40aa7551d
                                                                                                                                                  • Instruction ID: 5ba9ad89c5f021bbce7c8d15f8878aaa7ba49bc83921ba51ba6136a18e3a7326
                                                                                                                                                  • Opcode Fuzzy Hash: 9e360b2e13bc8ed89e0bdec12fdc321eef4a1223eed11fdcf3c0c9d40aa7551d
                                                                                                                                                  • Instruction Fuzzy Hash: B9E0D871909255EFCB01CF64AC0099D7BB1DB92101B2042EBE409E3351D5340F15C751
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680AC80 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3411d7c23ca2dd04f75370542d46619eb624cc0e9bec998c44fcdf88fa77e68d
                                                                                                                                                  • Instruction ID: 5eb8ed3fafc5dc57301cf42dfdc2fbcd8fca8cdb8b20704ddae7ac8fa948a18a
                                                                                                                                                  • Opcode Fuzzy Hash: 3411d7c23ca2dd04f75370542d46619eb624cc0e9bec998c44fcdf88fa77e68d
                                                                                                                                                  • Instruction Fuzzy Hash: 04D05EB1310129978B0967A9B4189BE7BEBEBC5672700052EE70BC3244CE755D0687E5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680B510 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f13c885658a4f2897214fd7845a2dc9d5d521e0a158eacd4b65799186111c6af
                                                                                                                                                  • Instruction ID: 204aebc810ccf305c60ecdc9e655805ba5d0920ed3642a984a7c474486e119e4
                                                                                                                                                  • Opcode Fuzzy Hash: f13c885658a4f2897214fd7845a2dc9d5d521e0a158eacd4b65799186111c6af
                                                                                                                                                  • Instruction Fuzzy Hash: 17E09275D0020DEFCB50DFE4E9848DDBBB9EB48201F1082AADA09A3200EB316B55DF80
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680E8F8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d548e762667f1f57f2d0ae2c79b3df00c3a3ee1e02f910a69b9b2920e9fc4390
                                                                                                                                                  • Instruction ID: 8780564fe178c1b38fddc82f4dd15a70c48a87d9e121e19bf1ce9793c37fb3bb
                                                                                                                                                  • Opcode Fuzzy Hash: d548e762667f1f57f2d0ae2c79b3df00c3a3ee1e02f910a69b9b2920e9fc4390
                                                                                                                                                  • Instruction Fuzzy Hash: 3AE0C739228282CFC3629F38D800821BFB0AF0320038888CAE0C0CB6B3C2208860DB11
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680E210 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9f2f55d3d4f83c2ba59b0deda39cd5211067b4960c5eee0b2a7ccdd7e74a02d4
                                                                                                                                                  • Instruction ID: 49297850498c1fa92b4d16bfe5960b99b42caa21554398337db645ebc02697c7
                                                                                                                                                  • Opcode Fuzzy Hash: 9f2f55d3d4f83c2ba59b0deda39cd5211067b4960c5eee0b2a7ccdd7e74a02d4
                                                                                                                                                  • Instruction Fuzzy Hash: 68D05EB2A0020EFFCB40DFA8E90095DB7F9EB94205B1045BED509E3300EA352F049B90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680F8EB Relevance: .0, Instructions: 14COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7a36b33f0abb722c647b4411a08351bb433128bad45603386f1b6abfd11ce50a
                                                                                                                                                  • Instruction ID: 76bb039a917251f76a5035bcf080824288f75027d85089baf017edde5f2d3799
                                                                                                                                                  • Opcode Fuzzy Hash: 7a36b33f0abb722c647b4411a08351bb433128bad45603386f1b6abfd11ce50a
                                                                                                                                                  • Instruction Fuzzy Hash: 71C012367000224B0294B76C701087EA6D7A2EC1E3385003FE60EC3348CD719C478390
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680FF6A Relevance: .0, Instructions: 12COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4681f1a2a5883a34a16873ffe3bbfca1e9f66dd6c66941a0cb4724c5d0adb817
                                                                                                                                                  • Instruction ID: c3ab1866424e4b9a6f4832601e2478f1e176fbd73274d77b71888930ac99af54
                                                                                                                                                  • Opcode Fuzzy Hash: 4681f1a2a5883a34a16873ffe3bbfca1e9f66dd6c66941a0cb4724c5d0adb817
                                                                                                                                                  • Instruction Fuzzy Hash: 64C02BF238241811D200205838847BF531AC7F02A1E048037D248E86C1C82404019355
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06803723 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 919b740f4419949ff2e394596d5e62cef57bfb840151586df3438ff9436f862d
                                                                                                                                                  • Instruction ID: 5b33b7416dd78258ef654880d6fd7b0b08f47cbad3fc8a06a8be73ca594056b0
                                                                                                                                                  • Opcode Fuzzy Hash: 919b740f4419949ff2e394596d5e62cef57bfb840151586df3438ff9436f862d
                                                                                                                                                  • Instruction Fuzzy Hash: FFC02BF7010240A3D30226048C4AF386422E3B8743F4DC020F300C6380E7B18000B910
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680DFD1 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cc705c1272c7b0ac7046bd8417a4e6f550fcf10e396f2239af068dca3a7c6e11
                                                                                                                                                  • Instruction ID: 3232bc047c49b869d3b3251680a6c298b2fd96fa26dd39ad1479d57c46738165
                                                                                                                                                  • Opcode Fuzzy Hash: cc705c1272c7b0ac7046bd8417a4e6f550fcf10e396f2239af068dca3a7c6e11
                                                                                                                                                  • Instruction Fuzzy Hash: 01C04C25A4B3D15BEB121B34990D5147F656F53A24F2904CF968189463C5250009C791
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 06806FE8 Relevance: .8, Instructions: 788COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 56cd3bcc027e1d54c102e33024c9a4278a9db5ca8cdbfd16d35c46230872a6f1
                                                                                                                                                  • Instruction ID: 6daa41ea7a0c8c79a90e149c2cf0ca2f76c9ac7f497b2416e5f4e68a03902784
                                                                                                                                                  • Opcode Fuzzy Hash: 56cd3bcc027e1d54c102e33024c9a4278a9db5ca8cdbfd16d35c46230872a6f1
                                                                                                                                                  • Instruction Fuzzy Hash: BF6241B06102019FD748DF19C45472ABAE6EB98309F64C86CC10D9F391DFBAD94BDB91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06806FF8 Relevance: .8, Instructions: 780COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c9b8ac4a22c295c481e97479d912114362668f164d8275eb5f90c3d3ea9e66e6
                                                                                                                                                  • Instruction ID: 0443462c581841844211fc60c417018210c71c3942b015214a669c4853b957ce
                                                                                                                                                  • Opcode Fuzzy Hash: c9b8ac4a22c295c481e97479d912114362668f164d8275eb5f90c3d3ea9e66e6
                                                                                                                                                  • Instruction Fuzzy Hash: 3B6241B06102019FD748DF19C45872ABAE6EB98309F64C86CC10D9F391DFBAD94BDB91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0177DC74 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1789009970.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_1770000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3e4ec9b17065c0c54183dd74210727ac2df1c8dbf721b261383fb8729facc2bf
                                                                                                                                                  • Instruction ID: 8b94445e45de3256fdf3c70d240bcbb41c7df45ff8bb7079c066927e7e5b601c
                                                                                                                                                  • Opcode Fuzzy Hash: 3e4ec9b17065c0c54183dd74210727ac2df1c8dbf721b261383fb8729facc2bf
                                                                                                                                                  • Instruction Fuzzy Hash: 3DA17D32E002068FCF15DFB9C9445DEFBB2FF84300B25856AE915AB265DB71E956CB80
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680ED10 Relevance: 7.9, Strings: 6, Instructions: 372COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1806011031.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6800000_gm5v3JlTMk.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: (_qq$(_qq$(_qq$(_qq$(_qq$(_qq
                                                                                                                                                  • API String ID: 0-4249418602
                                                                                                                                                  • Opcode ID: ed8e265811930e9abedfc9494665e4123197e1bc2d1003b1c4f0cb1e2159536c
                                                                                                                                                  • Instruction ID: 068163885def920902a89854e8f2227c01072d596099da66d5b1fd14f776983e
                                                                                                                                                  • Opcode Fuzzy Hash: ed8e265811930e9abedfc9494665e4123197e1bc2d1003b1c4f0cb1e2159536c
                                                                                                                                                  • Instruction Fuzzy Hash: A1D1ED78B043049FDB559F78C81456EBBB2EF96300F54886EE946DB381DA35DD06CB81
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%