Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XHr735qu8v.exe

Overview

General Information

Sample name:XHr735qu8v.exe
renamed because original name is a hash value
Original sample name:dcf8679430bc69cfc5eb65f4dabf4f09.exe
Analysis ID:1431075
MD5:dcf8679430bc69cfc5eb65f4dabf4f09
SHA1:9710f630423d29c6f3b5896eb47de41a57086275
SHA256:53e9bec7369824cc6c1c0823afd428d6c8b3156870527b72916c1cb898e3f43d
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
C2 URLs / IPs found in malware configuration
Installs new ROOT certificates
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • XHr735qu8v.exe (PID: 1808 cmdline: "C:\Users\user\Desktop\XHr735qu8v.exe" MD5: DCF8679430BC69CFC5EB65F4DABF4F09)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["103.113.70.99:2630"], "Bot Id": "spoo", "Authorization Header": "a442868c38da8722ebccd4819def00b2"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
XHr735qu8v.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000001.00000000.2091990464.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: XHr735qu8v.exe PID: 1808JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Process Memory Space: XHr735qu8v.exe PID: 1808JoeSecurity_RedLineYara detected RedLine StealerJoe Security

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  1.0.XHr735qu8v.exe.bc0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:04/24/24-14:42:00.417225
                    SID:2046045
                    Source Port:49710
                    Destination Port:2630
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-14:42:15.218803
                    SID:2043231
                    Source Port:49710
                    Destination Port:2630
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-14:42:05.910422
                    SID:2046056
                    Source Port:2630
                    Destination Port:49710
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-14:42:00.638318
                    SID:2043234
                    Source Port:2630
                    Destination Port:49710
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: XHr735qu8v.exeMalware Configuration Extractor: RedLine {"C2 url": ["103.113.70.99:2630"], "Bot Id": "spoo", "Authorization Header": "a442868c38da8722ebccd4819def00b2"}
                    Multi AV Scanner detection for submitted file
                    Source: XHr735qu8v.exeReversingLabs: Detection: 63%
                    Source: XHr735qu8v.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: XHr735qu8v.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 4x nop then jmp 081686CAh1_2_081682A8
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 4x nop then jmp 08168B4Ah1_2_081682A8

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.6:49710 -> 103.113.70.99:2630
                    Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.6:49710 -> 103.113.70.99:2630
                    Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 103.113.70.99:2630 -> 192.168.2.6:49710
                    Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 103.113.70.99:2630 -> 192.168.2.6:49710
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 103.113.70.99:2630
                    Source: global trafficTCP traffic: 192.168.2.6:49710 -> 103.113.70.99:2630
                    Source: Joe Sandbox ViewIP Address: 103.113.70.99 103.113.70.99
                    Source: Joe Sandbox ViewASN Name: NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003417000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.00000000033C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmp, XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmp, XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003417000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003417000.00000004.00000800.00020000.00000000.sdmp, XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmp, XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003417000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmp, XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003417000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmp, XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.00000000030FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                    Source: XHr735qu8v.exeString found in binary or memory: https://api.ip.sb/ip
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp4DE2.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp4DC2.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_0135DC741_2_0135DC74
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_068067D81_2_068067D8
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_0680A3E81_2_0680A3E8
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_06803F501_2_06803F50
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_0680A3D81_2_0680A3D8
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_06806FE81_2_06806FE8
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_06806FF81_2_06806FF8
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_081640801_2_08164080
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_081682A81_2_081682A8
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_0816B3001_2_0816B300
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_08164BB01_2_08164BB0
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_08163C001_2_08163C00
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_08165D101_2_08165D10
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_08166D081_2_08166D08
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_081655B81_2_081655B8
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_081635A81_2_081635A8
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_08162DD01_2_08162DD0
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_081677481_2_08167748
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_081600061_2_08160006
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_081600401_2_08160040
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_081640701_2_08164070
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_081621881_2_08162188
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_081682981_2_08168298
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_08164B851_2_08164B85
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_081625381_2_08162538
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_081625481_2_08162548
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_081635991_2_08163599
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_08162DC01_2_08162DC0
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_08168E901_2_08168E90
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_08168E8F1_2_08168E8F
                    Source: XHr735qu8v.exe, 00000001.00000000.2092018575.0000000000C06000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUpspearing.exe8 vs XHr735qu8v.exe
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs XHr735qu8v.exe
                    Source: XHr735qu8v.exe, 00000001.00000002.2281326161.000000000136E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs XHr735qu8v.exe
                    Source: XHr735qu8v.exeBinary or memory string: OriginalFilenameUpspearing.exe8 vs XHr735qu8v.exe
                    Source: XHr735qu8v.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/5@0/1
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp4DC2.tmpJump to behavior
                    Source: XHr735qu8v.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: XHr735qu8v.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: XHr735qu8v.exeReversingLabs: Detection: 63%
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: esdsip.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                    Source: Google Chrome.lnk.1.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: XHr735qu8v.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: XHr735qu8v.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: XHr735qu8v.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: XHr735qu8v.exeStatic PE information: 0xF0DBE6BE [Sun Jan 19 04:14:54 2098 UTC]
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_0680C711 push es; ret 1_2_0680C720
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_0680D413 push es; ret 1_2_0680D420
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeCode function: 1_2_0680ECF2 push eax; ret 1_2_0680ED01

                    Persistence and Installation Behavior

                    barindex
                    Installs new ROOT certificates
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeMemory allocated: 1350000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeMemory allocated: 2F90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeMemory allocated: 15F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeWindow / User API: threadDelayed 764Jump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeWindow / User API: threadDelayed 2875Jump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exe TID: 3656Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exe TID: 2716Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                    Source: XHr735qu8v.exe, 00000001.00000002.2281497322.000000000142C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.00000000034BD000.00000004.00000800.00020000.00000000.sdmp, XHr735qu8v.exe, 00000001.00000002.2281844313.00000000031FF000.00000004.00000800.00020000.00000000.sdmp, XHr735qu8v.exe, 00000001.00000002.2281844313.000000000331B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbLR
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                    Source: XHr735qu8v.exe, 00000001.00000002.2286009570.000000000422E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                    Source: XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeQueries volume information: C:\Users\user\Desktop\XHr735qu8v.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: XHr735qu8v.exe, 00000001.00000002.2296813365.0000000007ABF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: XHr735qu8v.exe, type: SAMPLE
                    Source: Yara matchFile source: 1.0.XHr735qu8v.exe.bc0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000000.2091990464.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: XHr735qu8v.exe PID: 1808, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Users\user\Desktop\XHr735qu8v.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: Yara matchFile source: 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: XHr735qu8v.exe PID: 1808, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: XHr735qu8v.exe, type: SAMPLE
                    Source: Yara matchFile source: 1.0.XHr735qu8v.exe.bc0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000000.2091990464.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: XHr735qu8v.exe PID: 1808, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		1
                    Query Registry                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		LSASS Memory231
                    Security Software Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                    Obfuscated Files or Information                    		NTDS241
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Install Root Certificate                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Timestomp                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSync113
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    XHr735qu8v.exe63%ReversingLabsByteCode-MSIL.Trojan.Jalapeno

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ip.sb/ip0%URL Reputationsafe
                    http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                    http://tempuri.org/0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id12Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id2Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id21Response4%VirustotalBrowse
                    http://tempuri.org/Entity/Id81%VirustotalBrowse
                    http://tempuri.org/2%VirustotalBrowse
                    http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id91%VirustotalBrowse
                    http://tempuri.org/Entity/Id23ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id14ResponseD2%VirustotalBrowse
                    http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id51%VirustotalBrowse
                    http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id41%VirustotalBrowse
                    http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id61%VirustotalBrowse
                    http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id71%VirustotalBrowse
                    http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id5ResponseD2%VirustotalBrowse
                    http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id1ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id6Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id19Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id13ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id201%VirustotalBrowse
                    http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id231%VirustotalBrowse
                    http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id211%VirustotalBrowse
                    http://tempuri.org/Entity/Id241%VirustotalBrowse
                    http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id9Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id24Response1%VirustotalBrowse
                    http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id1Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id221%VirustotalBrowse
                    http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id111%VirustotalBrowse
                    http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id101%VirustotalBrowse
                    http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id151%VirustotalBrowse
                    http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id121%VirustotalBrowse
                    http://tempuri.org/Entity/Id171%VirustotalBrowse
                    http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id131%VirustotalBrowse
                    http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id161%VirustotalBrowse
                    http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id16Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id141%VirustotalBrowse
                    http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id8ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id181%VirustotalBrowse
                    http://tempuri.org/Entity/Id21ResponseD1%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sctXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id14ResponseDXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id23ResponseDXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003417000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id12ResponseXHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id2ResponseXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmp, XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id21ResponseXHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 4%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id9XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 1%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id8XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id6ResponseDXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003417000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id5XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id4XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id7XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id6XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id19ResponseXHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 2%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceXHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id13ResponseDXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • 1%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/faultXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2004/10/wsatXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id15ResponseXHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • 2%, Virustotal, Browse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://tempuri.org/Entity/Id5ResponseDXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • 2%, Virustotal, Browse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id6ResponseXHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • 2%, Virustotal, Browse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://api.ip.sb/ipXHr735qu8v.exefalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2004/04/scXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Entity/Id1ResponseDXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • 1%, Virustotal, Browse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id9ResponseXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmp, XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • 2%, Virustotal, Browse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id20XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • 1%, Virustotal, Browse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id21XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • 1%, Virustotal, Browse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id22XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmp, XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • 1%, Virustotal, Browse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id23XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003417000.00000004.00000800.00020000.00000000.sdmp, XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • 1%, Virustotal, Browse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id24XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 1%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id24ResponseXHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 1%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://tempuri.org/Entity/Id1ResponseXHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 2%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedXHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id21ResponseDXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • 1%, Virustotal, Browse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressingXHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/04/trustXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/Entity/Id10XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 1%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id11XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 1%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id10ResponseDXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 1%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id12XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 1%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id16ResponseXHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 2%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://tempuri.org/Entity/Id13XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • 1%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id14XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • 1%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id15XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • 1%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id16XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • 1%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/NonceXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id17XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id18XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id5ResponseXHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id19XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsXHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id15ResponseDXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id10ResponseXHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RenewXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id11ResponseDXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id8ResponseXHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2006/02/addressingidentityXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id17ResponseDXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/soap/envelope/XHr735qu8v.exe, 00000001.00000002.2281844313.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id8ResponseDXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1XHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trustXHr735qu8v.exe, 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            103.113.70.99
                                                                                                                            		unknownIndia
                                                                                                                            		133973NETCONNECTWIFI-ASNetConnectWifiPvtLtdINtrue

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                            Analysis ID:1431075
                                                                                                                            Start date and time:2024-04-24 14:41:08 +02:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 5m 0s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:6
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:0
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:XHr735qu8v.exe
                                                                                                                            renamed because original name is a hash value
                                                                                                                            Original Sample Name:dcf8679430bc69cfc5eb65f4dabf4f09.exe
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@1/5@0/1
                                                                                                                            EGA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            • Number of executed functions: 92
                                                                                                                            • Number of non-executed functions: 14
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            14:42:10API Interceptor21x Sleep call for process: XHr735qu8v.exe modified

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            103.113.70.99gm5v3JlTMk.exeGet hashmaliciousRedLineBrowse
                                                                                                                              o8uKhd6peZ.exeGet hashmaliciousRedLineBrowse
                                                                                                                                vguZEL1YWf.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  djiwhBMknd.exeGet hashmaliciousRedLineBrowse
                                                                                                                                    ExAXLXWP9K.exeGet hashmaliciousRedLineBrowse
                                                                                                                                      44QHzbqD3m.exeGet hashmaliciousRedLineBrowse
                                                                                                                                        3q1lESMAMh.exeGet hashmaliciousRedLineBrowse
                                                                                                                                          fkmfYBX2c6.exeGet hashmaliciousRedLineBrowse
                                                                                                                                            IcDaW5Yzvb.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              W8Q1QyZc1j.exeGet hashmaliciousRedLineBrowse

                                                                                                                                                Domains

                                                                                                                                                No context

                                                                                                                                                ASNs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                NETCONNECTWIFI-ASNetConnectWifiPvtLtdINgm5v3JlTMk.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                o8uKhd6peZ.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                vguZEL1YWf.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                djiwhBMknd.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                ExAXLXWP9K.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                44QHzbqD3m.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                3q1lESMAMh.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                fkmfYBX2c6.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                IcDaW5Yzvb.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                W8Q1QyZc1j.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                No context

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\XHr735qu8v.exe
                                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 05:47:17 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2104
                                                                                                                                                Entropy (8bit):3.4685717994045424
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:8Swd5TvG90lRYrnvPdAKRkdAGdAKRFdAKR6P:8Saby7
                                                                                                                                                MD5:A3404237F13324E0B44F2581B42EB446
                                                                                                                                                SHA1:EC6FF332D1A4700188C4C968B67431AFEA344FE9
                                                                                                                                                SHA-256:5AFE1895ABD15C01121B18B29F91A0A2A9206E85D5A8B969B6AB6EF08C37A1E5
                                                                                                                                                SHA-512:35DA335581402E8DC4F4C72359C108E225C57EDEC5AF9AEF537C753F536202C5566BCADD2D7045A03BC104D405804DF05709879A22874579A1EDE8A41C14679E
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview:L..................F.@.. ......,........W....X.&&... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....EW.3..PROGRA~1..t......O.IEW.5....B...............J.......j.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VEW@2....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.2..Chrome..>......CW.VEW.2....M.....................7...C.h.r.o.m.e.....`.1.....EW.2..APPLIC~1..H......CW.VEW.2..........................7...A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.L .chrome.exe..F......CW.VEW.5.........................l...c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XHr735qu8v.exe.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\XHr735qu8v.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3274
                                                                                                                                                Entropy (8bit):5.3318368586986695
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
                                                                                                                                                MD5:0B2E58EF6402AD69025B36C36D16B67F
                                                                                                                                                SHA1:5ECC642327EF5E6A54B7918A4BD7B46A512BF926
                                                                                                                                                SHA-256:4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
                                                                                                                                                SHA-512:1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                C:\Users\user\AppData\Local\Temp\Tmp4DC2.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\XHr735qu8v.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2662
                                                                                                                                                Entropy (8bit):7.8230547059446645
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                                MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                                SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                                SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                                SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\Tmp4DE2.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\XHr735qu8v.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2662
                                                                                                                                                Entropy (8bit):7.8230547059446645
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                                MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                                SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                                SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                                SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\XHr735qu8v.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2251
                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3::
                                                                                                                                                MD5:0158FE9CEAD91D1B027B795984737614
                                                                                                                                                SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                                                                                                                                                SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                                                                                                                                                SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                Entropy (8bit):5.061353871330497
                                                                                                                                                TrID:
                                                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                File name:XHr735qu8v.exe
                                                                                                                                                File size:312'989 bytes
                                                                                                                                                MD5:dcf8679430bc69cfc5eb65f4dabf4f09
                                                                                                                                                SHA1:9710f630423d29c6f3b5896eb47de41a57086275
                                                                                                                                                SHA256:53e9bec7369824cc6c1c0823afd428d6c8b3156870527b72916c1cb898e3f43d
                                                                                                                                                SHA512:3e685e2cae493a05c8a5a13d9513cb9b2e94054e7da92a34e87d2eba549e43801664e0beaa3229d9f4389911868bd31a66563c445055e18e648d7c893299b2bf
                                                                                                                                                SSDEEP:6144:/qY6irwP7YfmrYiJv7TAPAzdcZqf7DI/L:/nwPkiJvGAzdcUzs/
                                                                                                                                                TLSH:18645C1823EC8911E27F4B7994A1E274D375ED56A452E30F4ED06CAB3E32741FA11AB2
                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. ....................... ............@................................

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:4d8ea38d85a38e6d

                                                                                                                                                Static PE Info

                                                                                                                                                General

                                                                                                                                                Entrypoint:0x42b9ae
                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                Digitally signed:false
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                Subsystem:windows gui
                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                Time Stamp:0xF0DBE6BE [Sun Jan 19 04:14:54 2098 UTC]
                                                                                                                                                TLS Callbacks:
                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                OS Version Major:4
                                                                                                                                                OS Version Minor:0
                                                                                                                                                File Version Major:4
                                                                                                                                                File Version Minor:0
                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                Entrypoint Preview

                                                                                                                                                Instruction
                                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                                popad
                                                                                                                                                add byte ptr [ebp+00h], dh
                                                                                                                                                je 00007F7E01513702h
                                                                                                                                                outsd
                                                                                                                                                add byte ptr [esi+00h], ah
                                                                                                                                                imul eax, dword ptr [eax], 006C006Ch
                                                                                                                                                xor eax, 59007400h
                                                                                                                                                add byte ptr [edi+00h], dl
                                                                                                                                                push edx
                                                                                                                                                add byte ptr [ecx+00h], dh
                                                                                                                                                popad
                                                                                                                                                add byte ptr [edi+00h], dl
                                                                                                                                                push esi
                                                                                                                                                add byte ptr [edi+00h], ch
                                                                                                                                                popad
                                                                                                                                                add byte ptr [ebp+00h], ch
                                                                                                                                                push 61006800h
                                                                                                                                                add byte ptr [ebp+00h], ch
                                                                                                                                                dec edx
                                                                                                                                                add byte ptr [eax], bh
                                                                                                                                                add byte ptr [edi+00h], dl
                                                                                                                                                push edi
                                                                                                                                                add byte ptr [ecx], bh
                                                                                                                                                add byte ptr [ecx+00h], bh
                                                                                                                                                bound eax, dword ptr [eax]
                                                                                                                                                xor al, byte ptr [eax]
                                                                                                                                                insb
                                                                                                                                                add byte ptr [eax+00h], bl
                                                                                                                                                pop ecx
                                                                                                                                                add byte ptr [edi+00h], dl
                                                                                                                                                js 00007F7E01513702h
                                                                                                                                                jnc 00007F7E01513702h
                                                                                                                                                pop edx
                                                                                                                                                add byte ptr [eax+00h], bl
                                                                                                                                                push ecx
                                                                                                                                                add byte ptr [ebx+00h], cl
                                                                                                                                                popad
                                                                                                                                                add byte ptr [edi+00h], dl
                                                                                                                                                dec edx
                                                                                                                                                add byte ptr [ebp+00h], dh
                                                                                                                                                pop edx
                                                                                                                                                add byte ptr [edi+00h], dl
                                                                                                                                                jo 00007F7E01513702h
                                                                                                                                                imul eax, dword ptr [eax], 5Ah
                                                                                                                                                add byte ptr [ebp+00h], ch
                                                                                                                                                jo 00007F7E01513702h
                                                                                                                                                je 00007F7E01513702h
                                                                                                                                                bound eax, dword ptr [eax]
                                                                                                                                                push edi
                                                                                                                                                add byte ptr [eax+eax+77h], dh
                                                                                                                                                add byte ptr [ecx+00h], bl
                                                                                                                                                xor al, byte ptr [eax]
                                                                                                                                                xor eax, 63007300h
                                                                                                                                                add byte ptr [edi+00h], al
                                                                                                                                                push esi
                                                                                                                                                add byte ptr [ecx+00h], ch
                                                                                                                                                popad
                                                                                                                                                add byte ptr [edx], dh
                                                                                                                                                add byte ptr [eax+00h], bh
                                                                                                                                                je 00007F7E01513702h
                                                                                                                                                bound eax, dword ptr [eax]
                                                                                                                                                insd
                                                                                                                                                add byte ptr [eax+eax+76h], dh
                                                                                                                                                add byte ptr [edx+00h], bl
                                                                                                                                                push edi
                                                                                                                                                add byte ptr [ecx], bh
                                                                                                                                                add byte ptr [eax+00h], dh
                                                                                                                                                popad
                                                                                                                                                add byte ptr [edi+00h], al
                                                                                                                                                cmp dword ptr [eax], eax
                                                                                                                                                insd
                                                                                                                                                add byte ptr [edx+00h], bl
                                                                                                                                                push edi
                                                                                                                                                add byte ptr [esi+00h], cl
                                                                                                                                                cmp byte ptr [eax], al
                                                                                                                                                push esi
                                                                                                                                                add byte ptr [eax+00h], cl
                                                                                                                                                dec edx
                                                                                                                                                add byte ptr [esi+00h], dh
                                                                                                                                                bound eax, dword ptr [eax]
                                                                                                                                                insd
                                                                                                                                                add byte ptr [eax+00h], bh
                                                                                                                                                jo 00007F7E01513702h
                                                                                                                                                bound eax, dword ptr [eax]
                                                                                                                                                insd
                                                                                                                                                add byte ptr [ebx+00h], dh

                                                                                                                                                Data Directories

                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2b95c0x4f.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x320000x1c9d4.rsrc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x500000xc.reloc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x2b9400x1c.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                Sections

                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                .text0x20000x2e9940x2ec0064c48738b5efa1379746874c338807d5False0.4696168950534759data6.205450376900145IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                .rsrc0x320000x1c9d40x1cc005b3e8f48de8a05507379330b3cf331a7False0.23725373641304348data2.6063301335912525IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                .reloc0x500000xc0x400f921873e0b7f3fe3399366376917ef43False0.025390625data0.05390218305374581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                Resources

                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                RT_ICON0x321a00x3d04PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9934058898847631
                                                                                                                                                RT_ICON0x35eb40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.09013072282030049
                                                                                                                                                RT_ICON0x466ec0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.13905290505432216
                                                                                                                                                RT_ICON0x4a9240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.17033195020746889
                                                                                                                                                RT_ICON0x4cedc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.2045028142589118
                                                                                                                                                RT_ICON0x4df940x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.24645390070921985
                                                                                                                                                RT_GROUP_ICON0x4e40c0x5adata0.7666666666666667
                                                                                                                                                RT_VERSION0x4e4780x35adata0.4417249417249417
                                                                                                                                                RT_MANIFEST0x4e7e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                Imports

                                                                                                                                                DLLImport
                                                                                                                                                mscoree.dll_CorExeMain

                                                                                                                                                Network Behavior

                                                                                                                                                Snort IDS Alerts

                                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                04/24/24-14:42:00.417225TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)497102630192.168.2.6103.113.70.99
                                                                                                                                                04/24/24-14:42:15.218803TCP2043231ET TROJAN Redline Stealer TCP CnC Activity497102630192.168.2.6103.113.70.99
                                                                                                                                                04/24/24-14:42:05.910422TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)263049710103.113.70.99192.168.2.6
                                                                                                                                                04/24/24-14:42:00.638318TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response263049710103.113.70.99192.168.2.6

                                                                                                                                                Network Port Distribution

                                                                                                                                                TCP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Apr 24, 2024 14:41:59.903887987 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:00.137995958 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:00.138135910 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:00.150290012 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:00.381561995 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:00.417224884 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:00.638318062 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:00.681817055 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:05.686487913 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:05.910422087 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:05.910453081 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:05.910480022 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:05.910537004 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:05.910577059 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:05.910593987 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:05.910639048 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:05.962956905 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:06.035126925 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:06.256516933 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:06.262161016 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:06.493875027 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:06.497272968 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:06.717742920 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:06.759840965 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:06.899744987 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:07.147355080 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:07.155374050 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:07.396709919 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:07.402031898 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:07.622616053 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:07.624068975 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:07.844559908 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:07.884862900 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:07.886188030 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.114444971 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.166151047 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.227442980 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.447453976 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.447530031 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.447602987 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.447658062 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.447671890 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.447709084 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.448021889 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.448105097 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.668382883 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.668567896 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.668706894 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.668915987 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.669004917 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.669106960 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.669161081 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.669168949 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.669173956 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.669214964 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.888721943 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.888736963 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.888772011 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.888847113 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.888905048 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.888993025 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.889027119 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.889070988 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.889131069 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.889178038 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.889317036 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.889367104 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.889368057 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.889410019 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.889565945 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.889619112 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.889663935 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.889717102 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.890142918 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.890182972 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.890196085 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.890221119 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.890245914 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:08.890357018 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.890431881 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.890444040 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:08.890537977 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.110057116 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.110074043 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.110196114 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.110316992 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.110330105 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.110479116 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.110927105 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.110939980 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.111061096 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.111121893 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.111258030 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:09.111366987 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:09.111418962 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.111430883 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.111633062 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.111658096 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.112015963 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.112041950 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.112065077 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.112344980 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.112356901 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.112366915 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.112461090 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.112564087 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.112638950 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.112756014 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.112951040 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.112981081 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.113143921 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.113297939 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.113425970 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.113603115 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.113694906 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.113871098 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.113883018 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.161082983 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.161530018 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:09.161621094 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:09.346513033 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.361975908 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.362848997 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.362917900 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.363149881 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.363277912 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.363555908 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:09.363636017 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:09.393337011 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.394566059 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.394646883 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.394851923 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.395093918 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.395251989 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.395472050 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:09.395554066 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:09.594645023 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.609965086 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.610497952 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.610729933 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.610888004 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.611130953 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.611427069 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:09.611501932 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:09.625642061 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.626190901 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.626209974 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.626251936 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.626435041 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.642927885 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.643327951 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:09.643398046 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:09.835597038 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.835639000 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.835768938 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.835928917 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.835995913 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.836091995 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.836235046 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.836381912 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.836610079 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.836626053 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.836812019 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.836968899 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.837097883 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.837249041 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.837342024 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.837476015 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.837619066 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.837634087 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.837708950 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.837790012 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.837928057 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.838068962 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.838131905 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.839890003 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.839948893 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.863403082 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.863526106 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.863543987 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.863936901 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.864075899 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.864326000 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.864366055 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.864506960 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.864571095 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.864928961 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.864999056 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.865015030 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.865029097 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.865215063 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.865264893 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.865358114 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.865372896 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:09.865469933 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:09.865765095 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.865780115 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.866024971 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.866039991 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.866266966 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.866317987 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:09.866589069 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:10.090420961 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.090625048 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.090814114 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.090898037 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.091348886 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.091469049 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.091563940 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.091610909 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.091754913 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.091821909 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.091945887 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.091959000 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.092053890 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.092093945 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.092171907 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.092184067 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.092310905 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.092510939 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.092586040 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.092685938 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.095391035 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.105683088 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:10.330463886 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.333872080 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:10.562272072 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.568650007 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:10.788783073 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.788929939 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.788944006 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.788958073 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.789659023 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:10.838012934 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:11.783871889 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:12.004515886 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:12.072426081 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:13.482810974 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:13.724616051 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:13.775521994 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:13.850033045 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:14.070194006 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:14.070256948 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:14.070291042 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:14.070545912 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:14.070873022 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:14.071641922 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:14.119282961 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:14.183283091 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:14.417090893 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:14.463047981 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:14.509726048 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:14.744741917 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:14.748130083 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:14.979068041 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:14.979512930 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:15.217825890 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:15.218802929 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:15.440975904 CEST263049710103.113.70.99192.168.2.6
                                                                                                                                                Apr 24, 2024 14:42:15.494319916 CEST497102630192.168.2.6103.113.70.99
                                                                                                                                                Apr 24, 2024 14:42:15.523655891 CEST497102630192.168.2.6103.113.70.99

                                                                                                                                                Statistics

                                                                                                                                                CPU Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                Memory Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                System Behavior

                                                                                                                                                General

                                                                                                                                                Target ID:1
                                                                                                                                                Start time:14:41:55
                                                                                                                                                Start date:24/04/2024
                                                                                                                                                Path:C:\Users\user\Desktop\XHr735qu8v.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\Desktop\XHr735qu8v.exe"
                                                                                                                                                Imagebase:0xbc0000
                                                                                                                                                File size:312'989 bytes
                                                                                                                                                MD5 hash:DCF8679430BC69CFC5EB65F4DABF4F09
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000000.2091990464.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.2281844313.0000000003037000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                Disassembly

                                                                                                                                                Reset < >

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:9.6%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                  Total number of Nodes:50
                                                                                                                                                  Total number of Limit Nodes:6
                                                                                                                                                  execution_graph 35505 816a590 35506 816a71b 35505->35506 35508 816a5b6 35505->35508 35508->35506 35509 8169c70 35508->35509 35510 816a810 PostMessageW 35509->35510 35511 816a87c 35510->35511 35511->35508 35512 135ad38 35515 135ae30 35512->35515 35513 135ad47 35516 135ae41 35515->35516 35517 135ae64 35515->35517 35516->35517 35523 135b0b8 35516->35523 35527 135b0c8 35516->35527 35517->35513 35518 135ae5c 35518->35517 35519 135b068 GetModuleHandleW 35518->35519 35520 135b095 35519->35520 35520->35513 35524 135b0dc 35523->35524 35525 135b101 35524->35525 35531 135a870 35524->35531 35525->35518 35528 135b0dc 35527->35528 35529 135b101 35528->35529 35530 135a870 LoadLibraryExW 35528->35530 35529->35518 35530->35529 35532 135b2a8 LoadLibraryExW 35531->35532 35534 135b321 35532->35534 35534->35525 35535 135d0b8 35536 135d0fe 35535->35536 35540 135d289 35536->35540 35543 135d298 35536->35543 35537 135d1eb 35541 135d2c6 35540->35541 35546 135c9a0 35540->35546 35541->35537 35544 135c9a0 DuplicateHandle 35543->35544 35545 135d2c6 35544->35545 35545->35537 35547 135d300 DuplicateHandle 35546->35547 35548 135d396 35547->35548 35548->35541 35549 1354668 35550 1354684 35549->35550 35551 1354696 35550->35551 35553 13547a0 35550->35553 35554 13547c5 35553->35554 35558 13548a1 35554->35558 35562 13548b0 35554->35562 35560 13548b0 35558->35560 35559 13549b4 35560->35559 35566 1354248 35560->35566 35564 13548d7 35562->35564 35563 13549b4 35563->35563 35564->35563 35565 1354248 CreateActCtxA 35564->35565 35565->35563 35567 1355940 CreateActCtxA 35566->35567 35569 1355a03 35567->35569 35569->35569

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 08165D10 Relevance: 2.8, Strings: 2, Instructions: 304COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 0 8165d10-8165d38 1 8165d3f-8165e45 0->1 2 8165d3a 0->2 15 8165e47-8165e4e 1->15 16 8165e53-8165f38 1->16 2->1 17 8166187-8166190 15->17 29 816613f-8166148 16->29 30 816614f-8166165 29->30 31 8165f3d-8166129 call 8162b38 30->31 32 816616b-8166185 30->32 58 816613b-816613c 31->58 59 816612b-816613a 31->59 32->17 58->29 59->58
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .$1
                                                                                                                                                  • API String ID: 0-1839485796
                                                                                                                                                  • Opcode ID: fd282a58a4d4cc66db732597e5ed6f7f4f453a573511b7829b3f10813fc5fae7
                                                                                                                                                  • Instruction ID: 3836a344e786ecf947e2346d37482c6cc7449dcc3c5068f8f4c41d22237be153
                                                                                                                                                  • Opcode Fuzzy Hash: fd282a58a4d4cc66db732597e5ed6f7f4f453a573511b7829b3f10813fc5fae7
                                                                                                                                                  • Instruction Fuzzy Hash: 59D1C2B4E01218CFDB68DFA5C890B9DB7B2BF89301F6085A9C509AB354DB359E81CF51
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0816B300 Relevance: .6, Instructions: 630COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1d6e3b527de2c83bd8160ca0f2c630a1b9a94a448ed10602dcc415598958e69d
                                                                                                                                                  • Instruction ID: f3d433557982e2c073993110e69dcb8392d80a23c62c626d9f663f008223f380
                                                                                                                                                  • Opcode Fuzzy Hash: 1d6e3b527de2c83bd8160ca0f2c630a1b9a94a448ed10602dcc415598958e69d
                                                                                                                                                  • Instruction Fuzzy Hash: 5F32AB70B052048FDB18DBA9D550BAEBBF6BF89725F14406DE586DB390CB34E811CB61
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 068067D8 Relevance: .6, Instructions: 552COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8f4647e1a4203493ee18682ab37881b4b1c6792e864111fe08de796813777f4c
                                                                                                                                                  • Instruction ID: 3793241c3937c528a5b8e25085c95d28171aa6a0453eb8f3b1e21587e01d8c4b
                                                                                                                                                  • Opcode Fuzzy Hash: 8f4647e1a4203493ee18682ab37881b4b1c6792e864111fe08de796813777f4c
                                                                                                                                                  • Instruction Fuzzy Hash: 4022A031A0020A9FEB95DF68D880B9EBBF2FF45310F148569E515DB291EB31EC95CB90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06803F50 Relevance: .5, Instructions: 530COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f4dfb0f6ca85ccfd184f29b9e895945cab3743e5935f9bd7aff84b0925e5a186
                                                                                                                                                  • Instruction ID: 715d22775287c1a56482935ed38541003941deb618027f7cbfbf6decb656ac8b
                                                                                                                                                  • Opcode Fuzzy Hash: f4dfb0f6ca85ccfd184f29b9e895945cab3743e5935f9bd7aff84b0925e5a186
                                                                                                                                                  • Instruction Fuzzy Hash: C2127E34B00205DFDB94DF69C854A6EBBF6BF89200B158569EA06EB3A5DB71DC01CB90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 081682A8 Relevance: .5, Instructions: 496COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 17b1e1e9c87ce71f5b029a4a42dd10353b0302f64eac6262048841ec3637347f
                                                                                                                                                  • Instruction ID: 8b4fb0227f58a397be052e065df21f55a4c357772e8c3f36db2707647d70ee24
                                                                                                                                                  • Opcode Fuzzy Hash: 17b1e1e9c87ce71f5b029a4a42dd10353b0302f64eac6262048841ec3637347f
                                                                                                                                                  • Instruction Fuzzy Hash: A832A170E01228CFDB68DF65C890B9EB7B2BF89301F1081E9D54AAB254DB359E91CF51
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 08166D08 Relevance: .4, Instructions: 400COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 783b8090f23d36c6c8a5cb5e342592ee928b8718f44c018be3e9c6b8f018e10c
                                                                                                                                                  • Instruction ID: 071f1a0b0855241e7f54cd0988d10a6dc6490ce2d23194115421d20547e76b57
                                                                                                                                                  • Opcode Fuzzy Hash: 783b8090f23d36c6c8a5cb5e342592ee928b8718f44c018be3e9c6b8f018e10c
                                                                                                                                                  • Instruction Fuzzy Hash: 2F225874E012298FDBA4DF69C990B9DBBB2BB89301F1081EAD549AB350DB315E85CF50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 08167748 Relevance: .4, Instructions: 363COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4a74420bdb2f49f1ff41ea8fc09da338cd19be749a1033c85a4db415b19842a2
                                                                                                                                                  • Instruction ID: bc3575ffd68c19f8c332afc152255679879a5b296c4f7a0fc69a54e80f2a0539
                                                                                                                                                  • Opcode Fuzzy Hash: 4a74420bdb2f49f1ff41ea8fc09da338cd19be749a1033c85a4db415b19842a2
                                                                                                                                                  • Instruction Fuzzy Hash: 4E02A274A11229CFDBA8DF64C890B9EB7B2BF49300F1085E9D509A7394DB31AE85CF51
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 08162DD0 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 66c138d1a8dadc6d21dcdf6b3686aad6e5e7e0fa86dabc3b23d0ef44271fc7cc
                                                                                                                                                  • Instruction ID: 632a12ba00ad859550d5d7e674803ffc19386761eeeabbd605604c4b1c74f453
                                                                                                                                                  • Opcode Fuzzy Hash: 66c138d1a8dadc6d21dcdf6b3686aad6e5e7e0fa86dabc3b23d0ef44271fc7cc
                                                                                                                                                  • Instruction Fuzzy Hash: 06F18E74E01229CFDB68DFA5D880B9DBBB2BF49301F1081AAD519A7350DB355E81CF50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 081635A8 Relevance: .3, Instructions: 321COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f1e1ea765fe9c7c6fe206fdfb51c62f66ca0ec7b2c2025f77313401ab1b1f2d7
                                                                                                                                                  • Instruction ID: 7fa7d3fd9f599750627f8195b67bf54faac02a83286b481b4eb945d02225e720
                                                                                                                                                  • Opcode Fuzzy Hash: f1e1ea765fe9c7c6fe206fdfb51c62f66ca0ec7b2c2025f77313401ab1b1f2d7
                                                                                                                                                  • Instruction Fuzzy Hash: 35E1A3B4E00229CFDB68DFA5C850B9DBBB2BF89301F1081AAC55AA7350DB355E85DF50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 081655B8 Relevance: .3, Instructions: 309COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 45685457f25771eeb8044673a4f6270332b2819c004a175622b14a30bafffdda
                                                                                                                                                  • Instruction ID: 98e3f98cd5ce6ec1dddf5c0f33faab231ac0c5f56e54ea621d405d7984161509
                                                                                                                                                  • Opcode Fuzzy Hash: 45685457f25771eeb8044673a4f6270332b2819c004a175622b14a30bafffdda
                                                                                                                                                  • Instruction Fuzzy Hash: 1DE1CF74E01229CFDB68DF65D890BADBBB2BF89300F1085AAD45AA7350DB315E85CF50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680A3D8 Relevance: .3, Instructions: 297COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b640806c1bb7ab005e126b5a339cc4249bb686d14a7194a513d8b0a8297c15fa
                                                                                                                                                  • Instruction ID: 49818fdd9bd6a69d4eb6ed7afb1134102c022afdb337b451e6cfc9a1ae2b9792
                                                                                                                                                  • Opcode Fuzzy Hash: b640806c1bb7ab005e126b5a339cc4249bb686d14a7194a513d8b0a8297c15fa
                                                                                                                                                  • Instruction Fuzzy Hash: 85D1F474900318CFDB18EFB4D854A9DBBB2FF8A301F2085ADD51AAB254DB319886CF11
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680A3E8 Relevance: .3, Instructions: 289COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ceace8d72e9390b29406f739707ca5352e82ffc97d6e2320a29319d243ae2bff
                                                                                                                                                  • Instruction ID: 9889eefab9f7332ef370f10b12dc6d3e4ffd2687b0a0679c86bb31e5fa841865
                                                                                                                                                  • Opcode Fuzzy Hash: ceace8d72e9390b29406f739707ca5352e82ffc97d6e2320a29319d243ae2bff
                                                                                                                                                  • Instruction Fuzzy Hash: 95D1E474D00318CFDB18EFB4D854A9DBBB2FF8A305F1085A9D51AAB254DB319985CF11
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 08164BB0 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 86e8aae8a7b36fb958cfd31cf6461bfa6e76edb482118dc71d91f81b9612adcc
                                                                                                                                                  • Instruction ID: 2e0b7c767c9f23638b757301a5aff49cf81ab2a88c5f7d482599d2a796e7c79d
                                                                                                                                                  • Opcode Fuzzy Hash: 86e8aae8a7b36fb958cfd31cf6461bfa6e76edb482118dc71d91f81b9612adcc
                                                                                                                                                  • Instruction Fuzzy Hash: 8CC1B370D01229CFEB28DFA5C954B9DBBB2BF89300F1085AAD409BB254DB345E85CF55
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 08164B85 Relevance: .2, Instructions: 242COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a7d28bed110290d1a720123c0e1e0f4cdcc6cb1204fb468284fc1a404ec6c8f2
                                                                                                                                                  • Instruction ID: 01ec92dc3639102b252a7f1fe6a8f51ed4d6d28c6a620834ace228f96d798be7
                                                                                                                                                  • Opcode Fuzzy Hash: a7d28bed110290d1a720123c0e1e0f4cdcc6cb1204fb468284fc1a404ec6c8f2
                                                                                                                                                  • Instruction Fuzzy Hash: FEA1E271E01229DFEB28DFA5C850BDDBBB2BF89300F1081AAD449BB250DB345A95CF55
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 08163C00 Relevance: .2, Instructions: 240COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e20092fcbc5ec88775aeae2446a3e52366dabd64d9fe2959f784f0da719dc540
                                                                                                                                                  • Instruction ID: d3eb0a884a5994bf2b778455637782c3a8e9ca45f5cc4288970720304fe92d9c
                                                                                                                                                  • Opcode Fuzzy Hash: e20092fcbc5ec88775aeae2446a3e52366dabd64d9fe2959f784f0da719dc540
                                                                                                                                                  • Instruction Fuzzy Hash: 27B1D1B4E01218CFDB28DFA5D894B9DBBB2BF89301F6080A9D409AB354DB355E81CF51
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 08164080 Relevance: .2, Instructions: 234COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 47bd59862fd2138edc14144c31b308a1c5c71c6c257eeec633dd969d508171b6
                                                                                                                                                  • Instruction ID: f641e6faabdd9302466af2b3f725363894058523af42ed2119fbdbc9cc268308
                                                                                                                                                  • Opcode Fuzzy Hash: 47bd59862fd2138edc14144c31b308a1c5c71c6c257eeec633dd969d508171b6
                                                                                                                                                  • Instruction Fuzzy Hash: 0BA1C2B4E01218CFDB28DFA5D484A9DBBF2FF89311F2090A9D409AB354DB359985CF54
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0135AE30 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 61 135ae30-135ae3f 62 135ae41-135ae4e call 1359838 61->62 63 135ae6b-135ae6f 61->63 70 135ae64 62->70 71 135ae50 62->71 64 135ae71-135ae7b 63->64 65 135ae83-135aec4 63->65 64->65 72 135aec6-135aece 65->72 73 135aed1-135aedf 65->73 70->63 119 135ae56 call 135b0b8 71->119 120 135ae56 call 135b0c8 71->120 72->73 75 135aee1-135aee6 73->75 76 135af03-135af05 73->76 74 135ae5c-135ae5e 74->70 77 135afa0-135afb7 74->77 79 135aef1 75->79 80 135aee8-135aeef call 135a814 75->80 78 135af08-135af0f 76->78 94 135afb9-135b018 77->94 82 135af11-135af19 78->82 83 135af1c-135af23 78->83 81 135aef3-135af01 79->81 80->81 81->78 82->83 85 135af25-135af2d 83->85 86 135af30-135af39 call 135a824 83->86 85->86 92 135af46-135af4b 86->92 93 135af3b-135af43 86->93 95 135af4d-135af54 92->95 96 135af69-135af76 92->96 93->92 112 135b01a-135b060 94->112 95->96 97 135af56-135af66 call 135a834 call 135a844 95->97 102 135af99-135af9f 96->102 103 135af78-135af96 96->103 97->96 103->102 114 135b062-135b065 112->114 115 135b068-135b093 GetModuleHandleW 112->115 114->115 116 135b095-135b09b 115->116 117 135b09c-135b0b0 115->117 116->117 119->74 120->74
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0135B086
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2281301029.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_1350000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                  • Opcode ID: 976909c4cec0ea454a31c0585fda46b38532f05a1c7b899a422dc473541aff72
                                                                                                                                                  • Instruction ID: a58f026cf40531771a161f58aaaa3ea9af3999e4deaf637284b18cffabb93c6a
                                                                                                                                                  • Opcode Fuzzy Hash: 976909c4cec0ea454a31c0585fda46b38532f05a1c7b899a422dc473541aff72
                                                                                                                                                  • Instruction Fuzzy Hash: 297148B0A00B058FE764DF29D454B5ABBF1FF88608F008A2DD95AD7A40D775E849CF91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 01354248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 121 1354248-1355a01 CreateActCtxA 124 1355a03-1355a09 121->124 125 1355a0a-1355a64 121->125 124->125 132 1355a66-1355a69 125->132 133 1355a73-1355a77 125->133 132->133 134 1355a79-1355a85 133->134 135 1355a88 133->135 134->135 137 1355a89 135->137 137->137
                                                                                                                                                  APIs
                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 013559F1
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2281301029.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_1350000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Create
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                  • Opcode ID: 50c47d562e173c9781d69c778496550fca09d2c2f6cd4513562c12aff79147ac
                                                                                                                                                  • Instruction ID: 8d023da57fc4bb0d84f0476cb54e6a8807c98c9730c3f9af9223570d9fe4fcaf
                                                                                                                                                  • Opcode Fuzzy Hash: 50c47d562e173c9781d69c778496550fca09d2c2f6cd4513562c12aff79147ac
                                                                                                                                                  • Instruction Fuzzy Hash: 9641DFB0C0071DCBEB25CFA9C884B9DBBB5FF49704F20806AD408AB255DB756945CF91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 01355935 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 138 1355935-135593c 139 1355944-1355a01 CreateActCtxA 138->139 141 1355a03-1355a09 139->141 142 1355a0a-1355a64 139->142 141->142 149 1355a66-1355a69 142->149 150 1355a73-1355a77 142->150 149->150 151 1355a79-1355a85 150->151 152 1355a88 150->152 151->152 154 1355a89 152->154 154->154
                                                                                                                                                  APIs
                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 013559F1
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2281301029.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_1350000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Create
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                  • Opcode ID: 3f46565556bed18ccfdc9720a37fa66697da658732ad11e87761bbd3042d680f
                                                                                                                                                  • Instruction ID: 5c83dee5191a224e20d435bea0dba186bd4097bae8dd411351882483dec9fc05
                                                                                                                                                  • Opcode Fuzzy Hash: 3f46565556bed18ccfdc9720a37fa66697da658732ad11e87761bbd3042d680f
                                                                                                                                                  • Instruction Fuzzy Hash: E041EDB0C00719CBEB24CFA9C884BCDBBB5FF49704F20806AD408AB254DB75694ACF90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0135A858 Relevance: 1.6, APIs: 1, Instructions: 85libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 155 135a858-135a860 157 135a862-135b2e8 155->157 158 135a88c 155->158 162 135b2f0-135b31f LoadLibraryExW 157->162 163 135b2ea-135b2ed 157->163 160 135a8ec-135a954 158->160 161 135a88e-135a8c0 158->161 161->160 165 135b321-135b327 162->165 166 135b328-135b345 162->166 163->162 165->166
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0135B101,00000800,00000000,00000000), ref: 0135B312
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2281301029.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_1350000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                  • Opcode ID: b5c700fe2fba1f43c40354333acc5791b7740891b5b45f07e1ac468adf324f87
                                                                                                                                                  • Instruction ID: 64d9fc1f260a13a91afd96bb84ba2defd281dc72197085319218438785f45063
                                                                                                                                                  • Opcode Fuzzy Hash: b5c700fe2fba1f43c40354333acc5791b7740891b5b45f07e1ac468adf324f87
                                                                                                                                                  • Instruction Fuzzy Hash: BB319EB6804398DFEB01CFADD450BEABFF4EB59714F04405AD994A7301C2749505CFA2
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0135C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 171 135c9a0-135d394 DuplicateHandle 173 135d396-135d39c 171->173 174 135d39d-135d3ba 171->174 173->174
                                                                                                                                                  APIs
                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0135D2C6,?,?,?,?,?), ref: 0135D387
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2281301029.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_1350000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                  • Opcode ID: 080fdd721f533cf0e23702b3b2c1da2ae28587276b6b7e6228802076ab5a67ae
                                                                                                                                                  • Instruction ID: 6449243d29df735a6273de797f444ca6bb9685144100934d99eb443e6f4c1296
                                                                                                                                                  • Opcode Fuzzy Hash: 080fdd721f533cf0e23702b3b2c1da2ae28587276b6b7e6228802076ab5a67ae
                                                                                                                                                  • Instruction Fuzzy Hash: 6421E6B5900348DFDB10CFAAD984AEEFBF8EB48710F14841AE918A7311D374A954CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0135D2F9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 177 135d2f9-135d394 DuplicateHandle 178 135d396-135d39c 177->178 179 135d39d-135d3ba 177->179 178->179
                                                                                                                                                  APIs
                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0135D2C6,?,?,?,?,?), ref: 0135D387
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2281301029.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_1350000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                  • Opcode ID: 5b96fc0c44c7e7c03cf998314c4e9ce41cab0815405d6361e0f5ef24970cc407
                                                                                                                                                  • Instruction ID: b4a3fab228aca907672029fcb8258a4f38032937141d3bd4a32bed6815686fff
                                                                                                                                                  • Opcode Fuzzy Hash: 5b96fc0c44c7e7c03cf998314c4e9ce41cab0815405d6361e0f5ef24970cc407
                                                                                                                                                  • Instruction Fuzzy Hash: F221E3B5900209DFDB10CFA9D985AEEBBF4EB48314F14841AE958B3310D378AA54CF65
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0135B2A0 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 182 135b2a0-135b2e8 184 135b2f0-135b31f LoadLibraryExW 182->184 185 135b2ea-135b2ed 182->185 186 135b321-135b327 184->186 187 135b328-135b345 184->187 185->184 186->187
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0135B101,00000800,00000000,00000000), ref: 0135B312
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2281301029.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_1350000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                  • Opcode ID: f1ebb9f26862780154b8eb96865459a7f5e43c6cb68bb5e237b1e5e738b87850
                                                                                                                                                  • Instruction ID: ce4c38accea3a61a13be0d8e27af047009366e9950437a999ca0b7debd1daa10
                                                                                                                                                  • Opcode Fuzzy Hash: f1ebb9f26862780154b8eb96865459a7f5e43c6cb68bb5e237b1e5e738b87850
                                                                                                                                                  • Instruction Fuzzy Hash: A011E4B68003499FDB10CFAAC844BDEFBF5EB48714F14841AD959B7201C379A545CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0135A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 190 135a870-135b2e8 192 135b2f0-135b31f LoadLibraryExW 190->192 193 135b2ea-135b2ed 190->193 194 135b321-135b327 192->194 195 135b328-135b345 192->195 193->192 194->195
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0135B101,00000800,00000000,00000000), ref: 0135B312
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2281301029.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_1350000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                  • Opcode ID: da1bedc7a2543cd57c78ddc0b2ef7a6d41012489774b0aa89c6be12c9ea23452
                                                                                                                                                  • Instruction ID: 1bf6c7b49907398f6be3845788d90ad7c107e4479f96480c4c14f202a04a9cec
                                                                                                                                                  • Opcode Fuzzy Hash: da1bedc7a2543cd57c78ddc0b2ef7a6d41012489774b0aa89c6be12c9ea23452
                                                                                                                                                  • Instruction Fuzzy Hash: 991114B6800349DFDB10CF9AC444AEEFBF9EB48714F10842AD919B7200C375A545CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0135B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 198 135b020-135b060 199 135b062-135b065 198->199 200 135b068-135b093 GetModuleHandleW 198->200 199->200 201 135b095-135b09b 200->201 202 135b09c-135b0b0 200->202 201->202
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0135B086
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2281301029.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_1350000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                  • Opcode ID: 87d9177a60215276c4fc42a34e1682739eabbc377e2323867e975651ac028810
                                                                                                                                                  • Instruction ID: 736ee82f050731cd248928489aba301d2fb797ca23df11727fecb160d1dc65c4
                                                                                                                                                  • Opcode Fuzzy Hash: 87d9177a60215276c4fc42a34e1682739eabbc377e2323867e975651ac028810
                                                                                                                                                  • Instruction Fuzzy Hash: CE1110B5C00749CFDB20CF9AC444ADEFBF5EB88624F10841AD928B7210C379A649CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 08169C70 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 204 8169c70-816a87a PostMessageW 206 816a883-816a897 204->206 207 816a87c-816a882 204->207 207->206
                                                                                                                                                  APIs
                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 0816A86D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                  • Opcode ID: 3709f9d3d35d7c78bd1b045b5d85c1d9f162ab064689b98554ac3da772fc401d
                                                                                                                                                  • Instruction ID: c4a9ad6d077c1ba291c8b9d1c363e06fe5642748ca9076206639cfe1ed271985
                                                                                                                                                  • Opcode Fuzzy Hash: 3709f9d3d35d7c78bd1b045b5d85c1d9f162ab064689b98554ac3da772fc401d
                                                                                                                                                  • Instruction Fuzzy Hash: 1411DFB58003599FDB10DF9AD885BDEBBF8EB48721F10841AE558A7200C375A964CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0816A809 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 209 816a809-816a87a PostMessageW 211 816a883-816a897 209->211 212 816a87c-816a882 209->212 212->211
                                                                                                                                                  APIs
                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 0816A86D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                  • Opcode ID: 0bdda52db50f0ec7cc024bb3ece1f2feb7a47ca3d4ef18f1cbfba21f3b828027
                                                                                                                                                  • Instruction ID: af9158b99a9594465e83bebb2ac0d779e1513715933bf22f0c803602032bb5bb
                                                                                                                                                  • Opcode Fuzzy Hash: 0bdda52db50f0ec7cc024bb3ece1f2feb7a47ca3d4ef18f1cbfba21f3b828027
                                                                                                                                                  • Instruction Fuzzy Hash: D81122B5800248DFDB10CF9AD584BDEBBF8EF48320F10841AD558A7200C378A954CFA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 068059D8 Relevance: 1.5, Strings: 1, Instructions: 290COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 214 68059d8-68059f3 216 68059f5-68059f7 214->216 217 68059ff-6805a0e 214->217 216->217 218 6805a10 217->218 219 6805a1a-6805a2a 217->219 218->219 220 6805a2d-6805a4f 219->220 222 6805a55-6805a5b 220->222 223 6805c88-6805ccf 220->223 224 6805a61-6805a67 222->224 225 6805b34-6805b38 222->225 251 6805cd1 223->251 252 6805ce5-6805cf1 223->252 224->223 226 6805a6d-6805a7a 224->226 228 6805b3a-6805b43 225->228 229 6805b5b-6805b64 225->229 230 6805a80-6805a89 226->230 231 6805b13-6805b1c 226->231 228->223 232 6805b49-6805b59 228->232 233 6805b66-6805b86 229->233 234 6805b89-6805b8c 229->234 230->223 235 6805a8f-6805ab0 230->235 231->223 238 6805b22-6805b2e 231->238 237 6805b8f-6805b95 232->237 233->234 234->237 239 6805ab2 235->239 240 6805abc-6805ad7 235->240 237->223 241 6805b9b-6805bae 237->241 238->224 238->225 239->240 240->231 250 6805ad9-6805adf 240->250 241->223 244 6805bb4-6805bc4 241->244 244->223 246 6805bca-6805bd7 244->246 246->223 249 6805bdd-6805c02 246->249 249->223 266 6805c08-6805c20 249->266 253 6805ae1 250->253 254 6805aeb-6805af1 250->254 255 6805cd4-6805cd6 251->255 257 6805cf3 252->257 258 6805cfd-6805d19 252->258 253->254 254->223 259 6805af7-6805b10 254->259 260 6805cd8-6805ce3 255->260 261 6805d1a-6805d30 255->261 257->258 260->252 260->255 266->223 270 6805c22-6805c2d 266->270 271 6805c7e-6805c85 270->271 272 6805c2f-6805c39 270->272 272->271 274 6805c3b-6805c51 272->274 276 6805c53 274->276 277 6805c5d-6805c76 274->277 276->277 277->271
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: d
                                                                                                                                                  • API String ID: 0-2564639436
                                                                                                                                                  • Opcode ID: 6f8484ec5cda57d6d843767e867a157c985b4969467f62e83b9deba75e326588
                                                                                                                                                  • Instruction ID: f57ea0365ef5683789f6144d211dead19e268cbf7042ce4c030889393ac288b0
                                                                                                                                                  • Opcode Fuzzy Hash: 6f8484ec5cda57d6d843767e867a157c985b4969467f62e83b9deba75e326588
                                                                                                                                                  • Instruction Fuzzy Hash: FCC16934600602CFD764CF28C98096ABBF2FF89310B59C9A9D55A8B6A1D730FC46CF95
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F1BA0 Relevance: 1.4, Instructions: 1443COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 280 67f1ba0-67f1bc3 281 67f1bc5-67f1bc7 280->281 282 67f1bd1-67f1c2d 280->282 281->282 287 67f2056-67f209e 282->287 288 67f1c33-67f1c69 282->288 291 67f20b6-67f2119 287->291 292 67f20a0-67f20a6 287->292 288->287 299 67f1c6f-67f1ca5 288->299 309 67f211f-67f2139 291->309 310 67f2ea1-67f2ea9 291->310 293 67f20aa-67f20b4 292->293 294 67f20a8 292->294 293->291 294->291 299->287 307 67f1cab-67f1ce2 299->307 307->287 323 67f1ce8-67f1d1e 307->323 309->310 317 67f213f-67f216f 309->317 315 67f2eab-67f2eb6 310->315 316 67f2ef0 310->316 319 67f2ebe-67f2ee8 315->319 320 67f2eb8-67f2ebc 315->320 321 67f2ef4-67f2efe 316->321 322 67f2ef2 316->322 334 67f2189-67f21d5 317->334 335 67f2171-67f2187 317->335 324 67f2eea 319->324 325 67f2f00-67f2f78 319->325 320->319 321->325 322->325 323->287 339 67f1d24-67f1d5a 323->339 324->316 347 67f2f7a-67f2fa0 325->347 348 67f2fa2-67f2fa9 325->348 345 67f21dc-67f21f9 334->345 335->345 339->287 356 67f1d60-67f1d9e 339->356 345->310 354 67f21ff-67f2235 345->354 347->348 363 67f224f-67f229b 354->363 364 67f2237-67f224d 354->364 356->287 366 67f1da4-67f1ded 356->366 372 67f22a2-67f22bf 363->372 364->372 366->287 382 67f1df3-67f1e29 366->382 372->310 378 67f22c5-67f22fb 372->378 386 67f22fd-67f2313 378->386 387 67f2315-67f2361 378->387 382->287 394 67f1e2f-67f1e65 382->394 395 67f2368-67f2385 386->395 387->395 394->287 404 67f1e6b-67f1ea1 394->404 395->310 399 67f238b-67f23c1 395->399 409 67f23db-67f2427 399->409 410 67f23c3-67f23d9 399->410 404->287 414 67f1ea7-67f1edd 404->414 418 67f242e-67f244b 409->418 410->418 414->287 426 67f1ee3-67f1efa 414->426 418->310 423 67f2451-67f2487 418->423 431 67f2489-67f249f 423->431 432 67f24a1-67f24f9 423->432 426->287 429 67f1f00-67f1f32 426->429 441 67f1f5c-67f1f9e 429->441 442 67f1f34-67f1f5a 429->442 440 67f2500-67f251d 431->440 432->440 440->310 447 67f2523-67f2559 440->447 458 67f1fbc-67f1fc8 441->458 459 67f1fa0-67f1fb6 441->459 455 67f1fce-67f2001 442->455 461 67f255b-67f2571 447->461 462 67f2573-67f25d1 447->462 455->287 468 67f2003-67f2039 455->468 458->455 459->458 470 67f25d8-67f25f5 461->470 462->470 468->287 479 67f203b-67f2053 468->479 470->310 476 67f25fb-67f2631 470->476 483 67f264b-67f26a9 476->483 484 67f2633-67f2649 476->484 489 67f26b0-67f26cd 483->489 484->489 489->310 492 67f26d3-67f2709 489->492 497 67f270b-67f2721 492->497 498 67f2723-67f2781 492->498 503 67f2788-67f27a5 497->503 498->503 503->310 507 67f27ab-67f27c5 503->507 507->310 509 67f27cb-67f27fb 507->509 513 67f27fd-67f2813 509->513 514 67f2815-67f2873 509->514 519 67f287a-67f2897 513->519 514->519 519->310 523 67f289d-67f28b7 519->523 523->310 525 67f28bd-67f28ed 523->525 529 67f28ef-67f2905 525->529 530 67f2907-67f2965 525->530 535 67f296c-67f2989 529->535 530->535 535->310 539 67f298f-67f29a9 535->539 539->310 541 67f29af-67f29df 539->541 545 67f29f9-67f2a57 541->545 546 67f29e1-67f29f7 541->546 551 67f2a5e-67f2a7b 545->551 546->551 551->310 554 67f2a81-67f2ab7 551->554 559 67f2ab9-67f2acf 554->559 560 67f2ad1-67f2b2f 554->560 565 67f2b36-67f2b53 559->565 560->565 565->310 569 67f2b59-67f2b8f 565->569 573 67f2ba9-67f2c07 569->573 574 67f2b91-67f2ba7 569->574 579 67f2c0e-67f2c2b 573->579 574->579 579->310 582 67f2c31-67f2c67 579->582 587 67f2c69-67f2c7f 582->587 588 67f2c81-67f2cdf 582->588 593 67f2ce6-67f2d03 587->593 588->593 593->310 597 67f2d09-67f2d3f 593->597 601 67f2d59-67f2db7 597->601 602 67f2d41-67f2d57 597->602 607 67f2dbe-67f2ddb 601->607 602->607 607->310 611 67f2de1-67f2e13 607->611 615 67f2e2d-67f2e82 611->615 616 67f2e15-67f2e2b 611->616 621 67f2e89-67f2e9e 615->621 616->621
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292099602.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_67f0000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8fac9fa3c1e9fa40c20ae037b6b5901a35d80d043360ed7acc22b003603b70b0
                                                                                                                                                  • Instruction ID: c7e4991de67061ce956b28721dfd212d87ffe669127e05f91b357269df1bba1d
                                                                                                                                                  • Opcode Fuzzy Hash: 8fac9fa3c1e9fa40c20ae037b6b5901a35d80d043360ed7acc22b003603b70b0
                                                                                                                                                  • Instruction Fuzzy Hash: 79C23B70B101189FCB54DFA4C854BEDBBB2EF89700F10809AE61AAB3A1DB719E45CF51
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F3838 Relevance: 1.0, Instructions: 1030COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 625 67f3838-67f384b 626 67f384d-67f3853 625->626 627 67f3863-67f38ab 625->627 628 67f3857-67f3861 626->628 629 67f3855 626->629 635 67f39b3-67f39bd 627->635 636 67f38b1-67f38e8 627->636 628->627 629->627 639 67f39bf-67f39e6 635->639 640 67f3a04-67f3a45 635->640 636->635 649 67f38ee-67f3905 636->649 641 67f39fe-67f3a03 639->641 642 67f39e8-67f39ee 639->642 655 67f3a4b-67f3a82 640->655 656 67f3ad5-67f3add 640->656 641->640 644 67f39f2-67f39fc 642->644 645 67f39f0 642->645 644->641 645->641 649->635 653 67f390b-67f39b0 649->653 655->656 675 67f3a84-67f3aba 655->675 661 67f3adf-67f3ae6 656->661 662 67f3b24-67f3b6c 656->662 665 67f3aee-67f3b08 661->665 666 67f3ae8-67f3aec 661->666 684 67f3b72-67f3bab 662->684 685 67f3c81-67f3c89 662->685 668 67f3b0a-67f3b10 665->668 669 67f3b20-67f3b22 665->669 666->665 672 67f3b14-67f3b1e 668->672 673 67f3b12 668->673 669->662 672->669 673->669 675->656 687 67f3abc-67f3ad2 675->687 684->685 703 67f3bb1-67f3bea 684->703 691 67f3c8b-67f3cce 685->691 692 67f3cd0-67f3cd6 685->692 691->692 694 67f3ce6-67f3d3f 691->694 695 67f3cda-67f3ce4 692->695 696 67f3cd8 692->696 710 67f42e7-67f42f1 694->710 711 67f3d45-67f3d84 694->711 695->694 696->694 703->685 712 67f3bf0-67f3c29 703->712 716 67f4338-67f4378 710->716 717 67f42f3-67f42fe 710->717 711->710 726 67f3d8a-67f3da6 711->726 712->685 728 67f3c2b-67f3c64 712->728 738 67f437e-67f439a 716->738 739 67f4449-67f4450 716->739 718 67f4306-67f4332 717->718 719 67f4300-67f4304 717->719 718->716 719->718 726->710 732 67f3dac-67f3de3 726->732 728->685 741 67f3c66-67f3c7e 728->741 745 67f3e0e-67f3e75 732->745 746 67f3de5-67f3e09 732->746 749 67f439c-67f43c0 738->749 750 67f43c2-67f4400 738->750 766 67f3e97-67f3ea5 745->766 767 67f3e77-67f3e91 745->767 760 67f3eab-67f3ec5 746->760 765 67f442a-67f4443 749->765 771 67f441b-67f4424 750->771 772 67f4402-67f4415 750->772 760->710 768 67f3ecb-67f3f02 760->768 765->738 765->739 766->760 767->766 777 67f3f2d-67f3f90 768->777 778 67f3f04-67f3f28 768->778 771->765 772->771 787 67f3fb2-67f3fc0 777->787 788 67f3f92-67f3fac 777->788 785 67f3fc6-67f3fe0 778->785 785->710 790 67f3fe6-67f401d 785->790 787->785 788->787 794 67f401f-67f4043 790->794 795 67f4048-67f40ab 790->795 802 67f40e1-67f40fb 794->802 804 67f40cd-67f40db 795->804 805 67f40ad-67f40c7 795->805 802->710 807 67f4101-67f4138 802->807 804->802 805->804 811 67f413a-67f415e 807->811 812 67f4163-67f41c6 807->812 819 67f41fc-67f4216 811->819 821 67f41e8-67f41f6 812->821 822 67f41c8-67f41e2 812->822 819->710 824 67f421c-67f4250 819->824 821->819 822->821 828 67f4278-67f42c8 824->828 829 67f4252-67f4276 824->829 836 67f42cf-67f42e4 828->836 829->836
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292099602.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_67f0000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1a108b44bec4d27ca5690ee931779f88e68f2964a553d62b1808855de22a4357
                                                                                                                                                  • Instruction ID: 5826f8cbd73c8de424f084cfddde2f48472b0ab15badd1cd3cc8eba00b6e7b01
                                                                                                                                                  • Opcode Fuzzy Hash: 1a108b44bec4d27ca5690ee931779f88e68f2964a553d62b1808855de22a4357
                                                                                                                                                  • Instruction Fuzzy Hash: 02824734B102149FCB44CF68C994EAABBF6FF89704F158099E606DB3A2DA71ED40CB50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F00D8 Relevance: .7, Instructions: 676COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292099602.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_67f0000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 31cae71344f453b02ee2731ee9f7c18c3054dbce01dd5f608236185062c94606
                                                                                                                                                  • Instruction ID: 9b47c583f6e61ddf63abf97f6462041d078634a0fc3ef9ab5253752a00741eba
                                                                                                                                                  • Opcode Fuzzy Hash: 31cae71344f453b02ee2731ee9f7c18c3054dbce01dd5f608236185062c94606
                                                                                                                                                  • Instruction Fuzzy Hash: A6429D70710B199FDB68AB78D4A0A6E77F2FBC6204B40491DD6079B391DF76EC018B92
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F0D80 Relevance: .6, Instructions: 620COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292099602.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_67f0000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 858890409a11e4742000d1a3628fe9817572130a64ea49ab983d7b02e28abdb5
                                                                                                                                                  • Instruction ID: 46222d4023a2612d5cec8d9bb2e666b66b0fa1c8ce5f089f2bc5a6a13c424520
                                                                                                                                                  • Opcode Fuzzy Hash: 858890409a11e4742000d1a3628fe9817572130a64ea49ab983d7b02e28abdb5
                                                                                                                                                  • Instruction Fuzzy Hash: FA328E30B10205DFEB959B69C858A7EBBF6BF89210F15845AE606C73A2DF71DC01CB51
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 068048B8 Relevance: .6, Instructions: 597COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 488cc00d113ef37bd541ff1aea143f6d5d8116cbf88153bb9c80454505eb333f
                                                                                                                                                  • Instruction ID: 25f3eedc3a0498598d3e49b2b3af3f1c1571742f3db8fa666d3f10ba72058da0
                                                                                                                                                  • Opcode Fuzzy Hash: 488cc00d113ef37bd541ff1aea143f6d5d8116cbf88153bb9c80454505eb333f
                                                                                                                                                  • Instruction Fuzzy Hash: 17322974B00605CFDB94DF29C894A6EBBF6BF89204B1584A9E606DB3A1DB30EC45CB50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F1582 Relevance: .4, Instructions: 371COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292099602.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_67f0000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2df15818550c2757e567a70c3746ffe0835a5841f2e049b1c6c5dcbc50dc5914
                                                                                                                                                  • Instruction ID: 7b87faa4a6b03ac798d5bcaf558610f4ee978e2a370788492bd0e407f1296884
                                                                                                                                                  • Opcode Fuzzy Hash: 2df15818550c2757e567a70c3746ffe0835a5841f2e049b1c6c5dcbc50dc5914
                                                                                                                                                  • Instruction Fuzzy Hash: 45D1D334B10205DFEB959BA9C894A3E77E6BF8A304F50845AE6078B392DF75DC01C752
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F00B7 Relevance: .3, Instructions: 341COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292099602.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_67f0000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4f55e7ad9783d8dd54ffcc3b5f5b89cc957161771e914844c6e2ae259cff3753
                                                                                                                                                  • Instruction ID: b533d0d644723c61d7ea2b4a6a3ff50d437f56f356eb5f991259a5731731b5b5
                                                                                                                                                  • Opcode Fuzzy Hash: 4f55e7ad9783d8dd54ffcc3b5f5b89cc957161771e914844c6e2ae259cff3753
                                                                                                                                                  • Instruction Fuzzy Hash: A3D18134B10604DFDB449B65C869B7E7BF6BF89704F10806AE6029B3A2DBB5DD01CB52
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 068048A8 Relevance: .3, Instructions: 282COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 39330ec36b786198a1c92bf2e5a280b2b0b59e35aaec4c8fb92b56b2203fbc13
                                                                                                                                                  • Instruction ID: 039b3f4f8805a6856ddf528b8a2a448d1225846ab98d68516f62fda0ca1bd612
                                                                                                                                                  • Opcode Fuzzy Hash: 39330ec36b786198a1c92bf2e5a280b2b0b59e35aaec4c8fb92b56b2203fbc13
                                                                                                                                                  • Instruction Fuzzy Hash: 40B13834B00605CFDB54DF29D894A6EBBF6BF89204B1584A9E646DB3A2DB30EC05CB50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06807D58 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f67364cf49b5999b0346862b6dc152473e897ddcd90b4573bbb75c4b9f98d952
                                                                                                                                                  • Instruction ID: e1f6f15f936525a6a3f8e3edfec476339d1745486c737bf74d0616ff1ac9d820
                                                                                                                                                  • Opcode Fuzzy Hash: f67364cf49b5999b0346862b6dc152473e897ddcd90b4573bbb75c4b9f98d952
                                                                                                                                                  • Instruction Fuzzy Hash: 1A513871E00258DFEB94CFA9D841BDEBBF5AF88700F148429D515EB294D774A946CF80
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 067F34D8 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292099602.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_67f0000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6ab30f6b8b7af4ee32e875641f5f3d27c108d7695ffd2c5378f49e0a0c711d24
                                                                                                                                                  • Instruction ID: 363958a33bcc1e43ee33c070103364b52bcc48cc28fdc5f93cba64de9d89ab30
                                                                                                                                                  • Opcode Fuzzy Hash: 6ab30f6b8b7af4ee32e875641f5f3d27c108d7695ffd2c5378f49e0a0c711d24
                                                                                                                                                  • Instruction Fuzzy Hash: D0511735B105159FCB54DF69C884DAABBF2FF89320B118069E90AAB361EB31EC45CB50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06807D4C Relevance: .1, Instructions: 127COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3c4fc9bc71bea5213759ea2f0fdc71b11b432ad5241c05c2fff636a2068ea606
                                                                                                                                                  • Instruction ID: 1c43fe50585e78bdabf46979ce7c5c3aac077d582e2c6b97e80db476a575f397
                                                                                                                                                  • Opcode Fuzzy Hash: 3c4fc9bc71bea5213759ea2f0fdc71b11b432ad5241c05c2fff636a2068ea606
                                                                                                                                                  • Instruction Fuzzy Hash: 8A5148B0D00259CFEB94CFA9D981BDDBBF1AF48B00F14882AD415EB294DB74A945CF81
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06803721 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 08b6c29bff0455707e820e9e2795da02dfb9c2b6792621e2d0f938e7b78e8a04
                                                                                                                                                  • Instruction ID: 4e473662ab8eb33055144fb8eb6916c21417279ad0993907e1e5bd7301b677f4
                                                                                                                                                  • Opcode Fuzzy Hash: 08b6c29bff0455707e820e9e2795da02dfb9c2b6792621e2d0f938e7b78e8a04
                                                                                                                                                  • Instruction Fuzzy Hash: 29418C75A00642CFEB94CF59C88496EBBF2FF88310B198969D555EB391CB30E801CF50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680E8B0 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e6b52cd7d4e4927c4cb72426f57c23618364a89c633ebd990cdb64ab25eec3e3
                                                                                                                                                  • Instruction ID: b31eb282bdc1e158ac8cc679487a4d9dbbfe8980a3dff0f9fc70aaee259e8ee4
                                                                                                                                                  • Opcode Fuzzy Hash: e6b52cd7d4e4927c4cb72426f57c23618364a89c633ebd990cdb64ab25eec3e3
                                                                                                                                                  • Instruction Fuzzy Hash: BE41F775A043458FDB569F78D81866E7FB2FF86300B58889EE580CB3A2D7358D05CB91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06803DE0 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f53331f8927dd839e78884ae3a9a6172f6e8e6d7000d391ef8cdd9c8840bf87a
                                                                                                                                                  • Instruction ID: 5ef51b3186882d74d66c3a965208b86f09c5da40ac4ba57de05a030a8667e89a
                                                                                                                                                  • Opcode Fuzzy Hash: f53331f8927dd839e78884ae3a9a6172f6e8e6d7000d391ef8cdd9c8840bf87a
                                                                                                                                                  • Instruction Fuzzy Hash: 853155317043428FC79AA778A85056E7BE6DFCA22034549BFD149CB781DE21DC07C7A2
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 068059C8 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a799a78118e740a9d43fbb18aa3d8a2eff6d1db4d619c4047afac8c622e6e350
                                                                                                                                                  • Instruction ID: 91c877c2876e94f8d330f2ae2f30c701d5eeeb0a02a008ee742ac3217a0469ff
                                                                                                                                                  • Opcode Fuzzy Hash: a799a78118e740a9d43fbb18aa3d8a2eff6d1db4d619c4047afac8c622e6e350
                                                                                                                                                  • Instruction Fuzzy Hash: 66413935A00606CFDB54CF58C98096ABBF2FF89310B59C9A9E559DB2A1D730F801CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06806E90 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0ba4200f170b596fa83f269e3a637999949bbddc57f76ea44516b33369bad705
                                                                                                                                                  • Instruction ID: 4d18553e06396f58c81a4de16095201e5aeb998d26a13b24cc9a969588f008c3
                                                                                                                                                  • Opcode Fuzzy Hash: 0ba4200f170b596fa83f269e3a637999949bbddc57f76ea44516b33369bad705
                                                                                                                                                  • Instruction Fuzzy Hash: FE412775504F849FC725CF6EC480997FFF4AF99210B04896EE9DA83B62E270E904CB61
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06805579 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0c51bd8aebdd8bba2f16dc37475118e684edc75ca6d6465abec783312282d9ad
                                                                                                                                                  • Instruction ID: f53c9fa4594e6fbfdf546268a7cb2b3185f923bb9551dcb3ca40a7cfb6d4966f
                                                                                                                                                  • Opcode Fuzzy Hash: 0c51bd8aebdd8bba2f16dc37475118e684edc75ca6d6465abec783312282d9ad
                                                                                                                                                  • Instruction Fuzzy Hash: 2F318B38B00201DFDB85DF34D8849AE7BB2BF8A200B5085A9EA05DB395DF30DD05CBA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 068084D8 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 029a1c6c335a4344ef6de977b022755c2a5d8547959eed2b4983d1fc3c1f8aad
                                                                                                                                                  • Instruction ID: 8c68239b1241d1ae8a69a211671d51c3eb8a09057b604901fd96448398ef25bd
                                                                                                                                                  • Opcode Fuzzy Hash: 029a1c6c335a4344ef6de977b022755c2a5d8547959eed2b4983d1fc3c1f8aad
                                                                                                                                                  • Instruction Fuzzy Hash: B431BF717002158BDF48AF78A86057E7BE7AFCC200B50443AD60ACB384EF719D0687E2
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06805588 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cd43f07cf26e05ca279cd1c66a473ac0cef629c7c64b35709f064919f7584108
                                                                                                                                                  • Instruction ID: 8ac93f0ab998aa3d4c9a1563bf3f7ead471fabdb41e63187844f34435b6e6240
                                                                                                                                                  • Opcode Fuzzy Hash: cd43f07cf26e05ca279cd1c66a473ac0cef629c7c64b35709f064919f7584108
                                                                                                                                                  • Instruction Fuzzy Hash: 64314434B00211DFDB55DF38D8849AEBBB2BF8A240B508569EA05CB395DF31ED01CBA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 068087A0 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b2ac7ff27611c18ef24fa220e3eda034d44c30e7c8a39e15a94374b9086ce827
                                                                                                                                                  • Instruction ID: 1e4f8ee79b017ebddc1ca214e8336ad44b794c37951a32d65abebffd80259563
                                                                                                                                                  • Opcode Fuzzy Hash: b2ac7ff27611c18ef24fa220e3eda034d44c30e7c8a39e15a94374b9086ce827
                                                                                                                                                  • Instruction Fuzzy Hash: 8741FEB1D01248DFEF54CFAAD840ADEBBB6AF88310F14842AE415A7290DB34A945CF90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 068084C8 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 253ad238cbe7e1dc9219b519630c6f0d38268605446bea3ed2b21fbb71b14ae0
                                                                                                                                                  • Instruction ID: e742318b66a11490beb0307de0001ca38bce01cab842d6ca3014b84daf95f8d7
                                                                                                                                                  • Opcode Fuzzy Hash: 253ad238cbe7e1dc9219b519630c6f0d38268605446bea3ed2b21fbb71b14ae0
                                                                                                                                                  • Instruction Fuzzy Hash: 1E21A0747102158BDF48AB78A86017E37E3AFC8201B54483ED60ADB385EF759D0697E2
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06808A98 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e16cc94a68d3fdaef79e4995757ee74f1f79fe6a10a1a9409da80b1cf7f6e9d5
                                                                                                                                                  • Instruction ID: b487ad7b6d6303fff7d576f8753f191977d5779ad6a5c48ada1aea522d2a74eb
                                                                                                                                                  • Opcode Fuzzy Hash: e16cc94a68d3fdaef79e4995757ee74f1f79fe6a10a1a9409da80b1cf7f6e9d5
                                                                                                                                                  • Instruction Fuzzy Hash: CF3102B1D01218DFEF54CFA9D891BDEBBF5AF88310F14842AE409A7280C774A945CB90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06808797 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d3436079da6afc38ed48d77d988f8626cb29de8352979a5d625ed3571117f32b
                                                                                                                                                  • Instruction ID: 9791af47a8b8a0d46be5526a22d1e93491cc9a60be6882cf4fe1de639e68214b
                                                                                                                                                  • Opcode Fuzzy Hash: d3436079da6afc38ed48d77d988f8626cb29de8352979a5d625ed3571117f32b
                                                                                                                                                  • Instruction Fuzzy Hash: 0631FFB1D01648DFEF54CFAAC990ADEBBF6AF88300F14842AD415BB290DB349945CF50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 011DD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2281007848.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_11dd000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d621560d0f07b7ba90b9db3c0d01f66fb87d1047370f098dd45bfde77d8a1e58
                                                                                                                                                  • Instruction ID: 38bd1e4802d4f0ccb34ee420ae05ddfd3a08d59e2413666b5d6f58f70a980863
                                                                                                                                                  • Opcode Fuzzy Hash: d621560d0f07b7ba90b9db3c0d01f66fb87d1047370f098dd45bfde77d8a1e58
                                                                                                                                                  • Instruction Fuzzy Hash: 27212872504204EFDF19DF54E9C0B66BF65FB84324F20C16DD9090B696C336E456CBA2
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06808F43 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3af4341d60127a0a4f49b076fec52cc37987eae1509e7eb571482c8543e39dea
                                                                                                                                                  • Instruction ID: 8ef540bad4a6391ddc1e76cb653208305d662b0b5a3dc2df3b17dc63edd07e74
                                                                                                                                                  • Opcode Fuzzy Hash: 3af4341d60127a0a4f49b076fec52cc37987eae1509e7eb571482c8543e39dea
                                                                                                                                                  • Instruction Fuzzy Hash: 643112B4D0025ADFDF94CFA8D9856EDBBB4FB09311F2044AAE525E7390D7745A81CB80
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 011ED01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2281037297.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_11ed000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 545df12d03222fbf5a124efea89c29a42d534be81e2f457b2df58a635c46c75c
                                                                                                                                                  • Instruction ID: bfbfb13ca420cd8ea82a9331ca746e80f9700d36c28f0657a9038d77a92bcf65
                                                                                                                                                  • Opcode Fuzzy Hash: 545df12d03222fbf5a124efea89c29a42d534be81e2f457b2df58a635c46c75c
                                                                                                                                                  • Instruction Fuzzy Hash: C021D371604604EFDF19DFA4E588B16BFA5FB84314F28C56DD90A4B246C336D446CA62
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06808A8C Relevance: .1, Instructions: 68COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8f688ac4a05321e9787069fc73a2725c60b1d97b341ac840472aacf6b6200030
                                                                                                                                                  • Instruction ID: 0b4eb863806d093b54fc4a7e1aaf318af7f8b33a3819e70db344ecfbdd75e04a
                                                                                                                                                  • Opcode Fuzzy Hash: 8f688ac4a05321e9787069fc73a2725c60b1d97b341ac840472aacf6b6200030
                                                                                                                                                  • Instruction Fuzzy Hash: EA21F3B1D01248DFEF54CFA9C8A5B9EBBF9AF48710F148429E405F7280D7749945CBA4
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 011ED006 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2281037297.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_11ed000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a23db4c037f36106b8b4040d820775c8894418d8c8e3abeb9a1ed343b97daafe
                                                                                                                                                  • Instruction ID: ca00bf367447a4f2ebd7cac720448028db958aa8ba1d9f60e0a6eea71b2a489a
                                                                                                                                                  • Opcode Fuzzy Hash: a23db4c037f36106b8b4040d820775c8894418d8c8e3abeb9a1ed343b97daafe
                                                                                                                                                  • Instruction Fuzzy Hash: 7621C275509780CFCB07CF64D994715BFB1EB46214F28C1DAD8498F2A3C33A980ACB62
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 011DD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2281007848.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_11dd000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                                                                                                                                  • Instruction ID: 2315bb72e66c199b74145cb9057b24abe91edfbe601e31978b3b48912e8e0ce9
                                                                                                                                                  • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                                                                                                                                  • Instruction Fuzzy Hash: 6911CD72504240DFCF16CF44D5C0B56BF61FB84224F2482A9D8090A657C33AE45ACBA2
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680BC5F Relevance: .1, Instructions: 54COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 693c6244318ba0951c3ffba6136721b4386b90effb2ac562279500ae273ad1c1
                                                                                                                                                  • Instruction ID: c5a2e348bf930b07c6bd17f4d38cda9d24a5245a36655c059061e902426f1df5
                                                                                                                                                  • Opcode Fuzzy Hash: 693c6244318ba0951c3ffba6136721b4386b90effb2ac562279500ae273ad1c1
                                                                                                                                                  • Instruction Fuzzy Hash: B611A1312102138FC7AAAB34A8646BD7BA3EED2248754481DD247C7B40DE30688A8792
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06808350 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3e2ec0ca9baf6f5e7ffc6190e54a2fe3e473362c667628aafcc1d9d217c46a00
                                                                                                                                                  • Instruction ID: ec0c1c3b9e391d160866d3853d9eb6735c3c96dda0e782bdf2b37470cae08d41
                                                                                                                                                  • Opcode Fuzzy Hash: 3e2ec0ca9baf6f5e7ffc6190e54a2fe3e473362c667628aafcc1d9d217c46a00
                                                                                                                                                  • Instruction Fuzzy Hash: 5E01D471B101099BDF50DEA9EC44ABFFBBAEFD8210B144036E608D3240DB70991587E1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680C499 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e5877d328c92530a091ea9f17d364a487425748239ad12531d630cf94327f58f
                                                                                                                                                  • Instruction ID: 3a5431e423e2af6ccca85609a6d55ae29f7721e9a0972f90c8f82c4ba4ca7906
                                                                                                                                                  • Opcode Fuzzy Hash: e5877d328c92530a091ea9f17d364a487425748239ad12531d630cf94327f58f
                                                                                                                                                  • Instruction Fuzzy Hash: 0E11C2342046068FD325AF74E81469A7BF3EFC6315B14892DD19687740DF74980ACB92
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680BC70 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a3ca1b81e5cef25f8a1cb17b98ee680fac16281b0fac73b39846ef1b0826e037
                                                                                                                                                  • Instruction ID: 65211086806b06454245b5525306c3deae3a0e1cc1c5ee53d1457cfd8d156730
                                                                                                                                                  • Opcode Fuzzy Hash: a3ca1b81e5cef25f8a1cb17b98ee680fac16281b0fac73b39846ef1b0826e037
                                                                                                                                                  • Instruction Fuzzy Hash: FF017C312102178FC6A9A738E46467E7AA3FEE2258754482CD2078BB40DE707D468792
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 011DDAB1 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2281007848.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_11dd000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 08907065ccc3d03ab4866a55201666822352ebc75b035ce0346566668181da12
                                                                                                                                                  • Instruction ID: 1e0377fa7c884deed9f843bea6ffd33102598637f3a805ae93d64e17ee0ca6ad
                                                                                                                                                  • Opcode Fuzzy Hash: 08907065ccc3d03ab4866a55201666822352ebc75b035ce0346566668181da12
                                                                                                                                                  • Instruction Fuzzy Hash: 3601F731108344DAEB184A69E984B67FF98EF42364F08C45AED090A2C2C378D444C772
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680C4A8 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8c98ef0d1fc99f86e81e66c65be4b489517e19dd3b49dc5937cdc073f7e4878d
                                                                                                                                                  • Instruction ID: b24ada5781d92987ac7755cae1245d6f5d46b8465e412605ed1c33667013208d
                                                                                                                                                  • Opcode Fuzzy Hash: 8c98ef0d1fc99f86e81e66c65be4b489517e19dd3b49dc5937cdc073f7e4878d
                                                                                                                                                  • Instruction Fuzzy Hash: A601927420020A8FD324AF75E45469A77F3FBC9315B108A2DD25687744DF74A80ACB91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06805508 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: fb5c73557d44bc2514b890b1a7b922b25fe470546dbe7b9f0b197c2a907352cd
                                                                                                                                                  • Instruction ID: cf0c2f539a331b383989da6ee30719f295a6ceccbdf89dc9ef89aa629599353f
                                                                                                                                                  • Opcode Fuzzy Hash: fb5c73557d44bc2514b890b1a7b922b25fe470546dbe7b9f0b197c2a907352cd
                                                                                                                                                  • Instruction Fuzzy Hash: F101DB38A11702CFE7E48A35EA0552B77F7BF842157048C3CD102C2594DE71E440CFA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680B358 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2f4f347db1396f1f5b465dbe46b561b3b5c5fff2307b366b9f54514285f2d197
                                                                                                                                                  • Instruction ID: fe64ba728ee5a66e8c682aaba50fd8523fa70fcec372da91a54acab343912ea8
                                                                                                                                                  • Opcode Fuzzy Hash: 2f4f347db1396f1f5b465dbe46b561b3b5c5fff2307b366b9f54514285f2d197
                                                                                                                                                  • Instruction Fuzzy Hash: 7901923490A38ADFCB15EFB8E89455C7FB1BF46201B1444EDC695D7351DA301945CB52
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06808F50 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: eb960dbc103cb986a9d2de96a5ba6c9b258817ebcdc0503a7f5cb23d15c02356
                                                                                                                                                  • Instruction ID: 35602c8133da3bc8764001f6222948269c0812944191026efba2945438fb94d6
                                                                                                                                                  • Opcode Fuzzy Hash: eb960dbc103cb986a9d2de96a5ba6c9b258817ebcdc0503a7f5cb23d15c02356
                                                                                                                                                  • Instruction Fuzzy Hash: 6101C4B4D0421ADFEB84DFA9D9456AEBBF5BB48301F1084A9D515F3380E7740A80CF91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 068067C8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 69f06a7311d15197178d0bdd860ac588e17ac3d6ca2f182bb0d8508c475ce1bf
                                                                                                                                                  • Instruction ID: 8124018bfde5a870269204cd980275950b02402f317215c7b7add78d29e641ee
                                                                                                                                                  • Opcode Fuzzy Hash: 69f06a7311d15197178d0bdd860ac588e17ac3d6ca2f182bb0d8508c475ce1bf
                                                                                                                                                  • Instruction Fuzzy Hash: 5CF0F631B403009BE7A08A68AC44F597FE59B42721F048666F314CB1E1EAA1E855D340
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 011DDAB0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2281007848.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_11dd000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6a251c0497fc675b16b08c6833193c4f093c488bbe336c44a13ceccee8410a19
                                                                                                                                                  • Instruction ID: 1e932c83def9d5580e9d9167a5b1b563d7d5465d768a29deb2a11482be82e439
                                                                                                                                                  • Opcode Fuzzy Hash: 6a251c0497fc675b16b08c6833193c4f093c488bbe336c44a13ceccee8410a19
                                                                                                                                                  • Instruction Fuzzy Hash: 13F0C271004344AEEB148E1AD884B62FF98EB42724F18C45AED080F282C3789844CB71
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06806EA0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4f0ee25d958ae52ea8c9cfe69217e6f397dcd14cd6c2ef8afc54befa4c9632a3
                                                                                                                                                  • Instruction ID: 1cec4a0eee358fbcda72684dd283f5c6f00c2dd621c9cd64e8a331af73d911c3
                                                                                                                                                  • Opcode Fuzzy Hash: 4f0ee25d958ae52ea8c9cfe69217e6f397dcd14cd6c2ef8afc54befa4c9632a3
                                                                                                                                                  • Instruction Fuzzy Hash: 05F0A7732041E83F8B514E9A5C14CFB3FEDDA8E1617084066FEE8C2142C429CD21ABB0
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06808341 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 737bb4fae3f26417dc046023418df42f2d540d82ecab4e65917ac092b75c29d7
                                                                                                                                                  • Instruction ID: 136500d7c5f5c4a3d92d8e80b3572ffdcbd89fd99a111efd797b3734af6e5786
                                                                                                                                                  • Opcode Fuzzy Hash: 737bb4fae3f26417dc046023418df42f2d540d82ecab4e65917ac092b75c29d7
                                                                                                                                                  • Instruction Fuzzy Hash: ACF027B1F142159B9F50CAA9AC856BF7BB8EFC9161B090426EA18C3280FB30880583E0
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680ADE9 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ae1f761119e8ec71590acbbb0fcbfd3f8f3a6d3a1ccaf8cd9b81f26cd4eeaba6
                                                                                                                                                  • Instruction ID: 101f323895d3d0fe4260b11cd19528f6b672e639504488a9513e54fff36cd097
                                                                                                                                                  • Opcode Fuzzy Hash: ae1f761119e8ec71590acbbb0fcbfd3f8f3a6d3a1ccaf8cd9b81f26cd4eeaba6
                                                                                                                                                  • Instruction Fuzzy Hash: F3F0EC712053429FC3556F69B8947EF7FE6EFCB215B40486DE16AC3242CA3508498771
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680C110 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0d813ff96e23a3d581afe62be8801779326238658fd1858e6ed10145dc590e0e
                                                                                                                                                  • Instruction ID: f8d7fa55f25d38f84f7ab45473367ca51f4b9b55bd0c08ffcf45e0b7a9e4d550
                                                                                                                                                  • Opcode Fuzzy Hash: 0d813ff96e23a3d581afe62be8801779326238658fd1858e6ed10145dc590e0e
                                                                                                                                                  • Instruction Fuzzy Hash: C8F0F6302097D28FC322A738E81479A7FF6DF87204F08049EE2D2C7652CB615909C7A2
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680C170 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e173c3d66d144171abc38b50b7ba5df299457817e7336253e1e79873230c83fe
                                                                                                                                                  • Instruction ID: 46a9dc7da61187f1816eaf9ff07ffb506adc470412bafb5f7153f888218e78b8
                                                                                                                                                  • Opcode Fuzzy Hash: e173c3d66d144171abc38b50b7ba5df299457817e7336253e1e79873230c83fe
                                                                                                                                                  • Instruction Fuzzy Hash: D401D175505B468FD326DF25E848122BFF2FF89300B40C92EE4CA83A55CB30A44ACF40
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06808FC0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4eb59719d2ad4d38014ca2245e40cfb4aa53a4e9d4a3fa66e51eab370f60e3d2
                                                                                                                                                  • Instruction ID: 897292a082b54b3c5a37d52d29ac9495e6b5fbc1d29ac42a205981c47c0dc7ad
                                                                                                                                                  • Opcode Fuzzy Hash: 4eb59719d2ad4d38014ca2245e40cfb4aa53a4e9d4a3fa66e51eab370f60e3d2
                                                                                                                                                  • Instruction Fuzzy Hash: C3F0A9F1C08149DFEF80CFB0C8161ADBFB0EB1A201F0045CAE402E7391E6744A81CB40
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680B368 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ae5dbd18884c7c3ed9b63dbbf20006d65074ba721419f227bd74b21fbe31f5f9
                                                                                                                                                  • Instruction ID: 187c54ee3f0be461eaf22da6d45ab5155904b0b57de316d6958903d0546c3fe0
                                                                                                                                                  • Opcode Fuzzy Hash: ae5dbd18884c7c3ed9b63dbbf20006d65074ba721419f227bd74b21fbe31f5f9
                                                                                                                                                  • Instruction Fuzzy Hash: 6BF04F74A0224EEFCB14EFB8E89859C7BB6FB59201B1085A9C606E7354EB301E44CB81
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680ACB8 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a5dbc37f0fb7e77b9ac3e9cd8ca664d823033f75743ce8027381da09ebfe6399
                                                                                                                                                  • Instruction ID: d1d8b38aa2b2e5163047c17675d54cbd75a5e6773461b53d941870ddf756e737
                                                                                                                                                  • Opcode Fuzzy Hash: a5dbc37f0fb7e77b9ac3e9cd8ca664d823033f75743ce8027381da09ebfe6399
                                                                                                                                                  • Instruction Fuzzy Hash: EAF027F67092618FD35B1B786C281BC3FB6EA8A25530408CFD287CB296CA244507C3E1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 068054F8 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a496e6c5f43d8ba180669992c8ebe63ce2fd18c48f17f0bf558fa7556dbc2e45
                                                                                                                                                  • Instruction ID: 7e9942c8dd8b6c9080d682eaf4928dbc434d53aa5232ff2da767963542ec09c9
                                                                                                                                                  • Opcode Fuzzy Hash: a496e6c5f43d8ba180669992c8ebe63ce2fd18c48f17f0bf558fa7556dbc2e45
                                                                                                                                                  • Instruction Fuzzy Hash: 6DF0F039900B01CFEBA4CE31DA017AB7BF2AF80214F08886CD042829A1DA74E449CF50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680ADF8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9acb6e3b00e400790d14207dd1e011ca7f59c428b4975731f5ef1bc63dad2f0f
                                                                                                                                                  • Instruction ID: 599e543d8b568361a8d2ee3026f3473db12e971b96c232457d155c7689934750
                                                                                                                                                  • Opcode Fuzzy Hash: 9acb6e3b00e400790d14207dd1e011ca7f59c428b4975731f5ef1bc63dad2f0f
                                                                                                                                                  • Instruction Fuzzy Hash: 13E09271204201ABC3146AAAA488B9F7AEAEBCA355B00442CE21EC3241CE61580547B5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06805698 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f2f68777732117e79d04ae8d8e942ff9a3eaa50b5fcde98d897670c8700f5b12
                                                                                                                                                  • Instruction ID: f79fa9211d9e299512600b09a4a343c05c561135d08f29d41d625d8812883393
                                                                                                                                                  • Opcode Fuzzy Hash: f2f68777732117e79d04ae8d8e942ff9a3eaa50b5fcde98d897670c8700f5b12
                                                                                                                                                  • Instruction Fuzzy Hash: 02E092B210D2119FE380DB74EC4488B7BE8EF91220B11CC6EF544C7281E631D842CB6A
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680C180 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 19bbfdeee6587a73c02a60bc9b015ca3c3cd3f7127d161888e08a83df618ef63
                                                                                                                                                  • Instruction ID: e87d09a16df96bbff473f7f2c43e1c7f423da2fc68718d03b731316879005eb0
                                                                                                                                                  • Opcode Fuzzy Hash: 19bbfdeee6587a73c02a60bc9b015ca3c3cd3f7127d161888e08a83df618ef63
                                                                                                                                                  • Instruction Fuzzy Hash: 38F09074500B068FD725DF26E448522FBF6FB8C300B00C62EE58B82B14DB70A509CF84
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680B500 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: faa593d0edccf098d838f7f6cf92bae9bb0fb81bd267980d19ed84133409929c
                                                                                                                                                  • Instruction ID: 01a71d37a57d3dd3704a3c02f1746c7047e58ac789de3cf0af3c47b10d681c11
                                                                                                                                                  • Opcode Fuzzy Hash: faa593d0edccf098d838f7f6cf92bae9bb0fb81bd267980d19ed84133409929c
                                                                                                                                                  • Instruction Fuzzy Hash: 14F01535D0120DAFDB01DFB4E9489CDBFB9EB44204F1082AAD945E2240EA305B55CB81
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680C120 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e348021ee1382a1fcf70c0d3faee716b55c79dcfbef0c0cec52c0b20e13ac20b
                                                                                                                                                  • Instruction ID: 42b063bb81fe334704a62633449986921c1ad9740d39ac579c6b92848f791688
                                                                                                                                                  • Opcode Fuzzy Hash: e348021ee1382a1fcf70c0d3faee716b55c79dcfbef0c0cec52c0b20e13ac20b
                                                                                                                                                  • Instruction Fuzzy Hash: ACE065302047568FC721A73DF8587AE7BE6EF96318F04452DE35687741DBA168058791
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680CC38 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a80f538c0ad95920a1fa28834976886bf1254e178f2dadae79c37f9c76be8fc1
                                                                                                                                                  • Instruction ID: b3df76daa69c50afd7f5b9fec408e537313e0f68cbe92317d04f2832055d7446
                                                                                                                                                  • Opcode Fuzzy Hash: a80f538c0ad95920a1fa28834976886bf1254e178f2dadae79c37f9c76be8fc1
                                                                                                                                                  • Instruction Fuzzy Hash: 92E0D8312057858FD762FF34FC60AE97F60DB83212B05915AD080C7A46C6380C468BD6
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680E280 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: be5952d655abe3b291a23ad1932175eb67556083c825ccaf885733700daa3fca
                                                                                                                                                  • Instruction ID: e5fe4225442225bb5d4b20697fc0bbee83f9426735999c9542470c12b4745e8e
                                                                                                                                                  • Opcode Fuzzy Hash: be5952d655abe3b291a23ad1932175eb67556083c825ccaf885733700daa3fca
                                                                                                                                                  • Instruction Fuzzy Hash: 27E026326013068FD74AB330FE216893BA2E79BB01B125067E801CB6F8CB340E4587E2
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680CE88 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 64c76591912a9af0c2c344cabd418d07c88736839b66bbf7c112fda7f7f7c2ee
                                                                                                                                                  • Instruction ID: 2fd419a8a2f76958c6a4b528f98fd6276ff1b133c22cfe576154880671d73616
                                                                                                                                                  • Opcode Fuzzy Hash: 64c76591912a9af0c2c344cabd418d07c88736839b66bbf7c112fda7f7f7c2ee
                                                                                                                                                  • Instruction Fuzzy Hash: 7FE0D87050A3C6EFEB53B734F4245583FB09F83511B25499ADC80C7A55C7340C45C782
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680E1FF Relevance: .0, Instructions: 22COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 53e0d31eb438238e26a72693056e4c7cd61b74e95adc147e378000368f985ab8
                                                                                                                                                  • Instruction ID: 1a66b306bdf073efd0f88d0ead7dfad60f1e66c6c6707eee7665364da7c2c937
                                                                                                                                                  • Opcode Fuzzy Hash: 53e0d31eb438238e26a72693056e4c7cd61b74e95adc147e378000368f985ab8
                                                                                                                                                  • Instruction Fuzzy Hash: D8E0D871909249EFCB01DB64AC1099D3BB1DA9210572042DAD405D3351E5300F158751
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680AC80 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bd78f1fe43b0b42bf26a5c00453310e8bab1334987b1df7be3df8189a54dba19
                                                                                                                                                  • Instruction ID: 5cf9b849d091c5eb794755e65f5fc6be99ff5ae0254e1bd2be1bc5adb1958864
                                                                                                                                                  • Opcode Fuzzy Hash: bd78f1fe43b0b42bf26a5c00453310e8bab1334987b1df7be3df8189a54dba19
                                                                                                                                                  • Instruction Fuzzy Hash: 00D05EB1310129978B0927A9B418AFE7BABEBC5672300012EE70BC3244CF755D0287E6
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680B510 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f13c885658a4f2897214fd7845a2dc9d5d521e0a158eacd4b65799186111c6af
                                                                                                                                                  • Instruction ID: 204aebc810ccf305c60ecdc9e655805ba5d0920ed3642a984a7c474486e119e4
                                                                                                                                                  • Opcode Fuzzy Hash: f13c885658a4f2897214fd7845a2dc9d5d521e0a158eacd4b65799186111c6af
                                                                                                                                                  • Instruction Fuzzy Hash: 17E09275D0020DEFCB50DFE4E9848DDBBB9EB48201F1082AADA09A3200EB316B55DF80
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680E8F8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d548e762667f1f57f2d0ae2c79b3df00c3a3ee1e02f910a69b9b2920e9fc4390
                                                                                                                                                  • Instruction ID: 8780564fe178c1b38fddc82f4dd15a70c48a87d9e121e19bf1ce9793c37fb3bb
                                                                                                                                                  • Opcode Fuzzy Hash: d548e762667f1f57f2d0ae2c79b3df00c3a3ee1e02f910a69b9b2920e9fc4390
                                                                                                                                                  • Instruction Fuzzy Hash: 3AE0C739228282CFC3629F38D800821BFB0AF0320038888CAE0C0CB6B3C2208860DB11
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680E210 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b6cb0a831948eba77320f1e65a64ffcdbedef9e86f875e6e7cc031ecbdabc218
                                                                                                                                                  • Instruction ID: 8ef8de2b9293bfd94cb7ee1c4489c9448430f6b88a45fd7c9f661bd4382fa187
                                                                                                                                                  • Opcode Fuzzy Hash: b6cb0a831948eba77320f1e65a64ffcdbedef9e86f875e6e7cc031ecbdabc218
                                                                                                                                                  • Instruction Fuzzy Hash: 64D05EB2A0020EFFCB40EFB8E91099DB7B9EB85209B1041ADD509E3300EA312F009B91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680F8EB Relevance: .0, Instructions: 14COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 48f67ce55ff351e236ee40e45f36eccb7708293d8e9869a8a5c57a4eb6275107
                                                                                                                                                  • Instruction ID: 7b772982cf8e2363d3caf63425d5aa7dcbcf8c931a785fb23a41bd91be91397f
                                                                                                                                                  • Opcode Fuzzy Hash: 48f67ce55ff351e236ee40e45f36eccb7708293d8e9869a8a5c57a4eb6275107
                                                                                                                                                  • Instruction Fuzzy Hash: BFC012767001224B0298B76C701046EA6D7A2EC1A7385003AE60EC3348CE719C434391
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0680DFD1 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cc705c1272c7b0ac7046bd8417a4e6f550fcf10e396f2239af068dca3a7c6e11
                                                                                                                                                  • Instruction ID: 3232bc047c49b869d3b3251680a6c298b2fd96fa26dd39ad1479d57c46738165
                                                                                                                                                  • Opcode Fuzzy Hash: cc705c1272c7b0ac7046bd8417a4e6f550fcf10e396f2239af068dca3a7c6e11
                                                                                                                                                  • Instruction Fuzzy Hash: 01C04C25A4B3D15BEB121B34990D5147F656F53A24F2904CF968189463C5250009C791
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 08160040 Relevance: .9, Instructions: 868COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e283902feddc0cc7e8b61a1a8918a8cc1ac7e6028aacf4d01d4e152d425e8eef
                                                                                                                                                  • Instruction ID: 972775fc6950f4a71699c653409a5e16289152da337f2357207f8648731ba9c2
                                                                                                                                                  • Opcode Fuzzy Hash: e283902feddc0cc7e8b61a1a8918a8cc1ac7e6028aacf4d01d4e152d425e8eef
                                                                                                                                                  • Instruction Fuzzy Hash: 6592FD74E005158FD764DF58C590BAEB7B2BF88311F55C2AAC549AB34AC734AD82CF90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06806FE8 Relevance: .8, Instructions: 788COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 986a74746bd95ed6b738abbc39b8235b6437034e4df351e0057600129b0a4120
                                                                                                                                                  • Instruction ID: b1a79785ec5797a194706cb7bef161ba158e36169971b2f0f55faa24178a5661
                                                                                                                                                  • Opcode Fuzzy Hash: 986a74746bd95ed6b738abbc39b8235b6437034e4df351e0057600129b0a4120
                                                                                                                                                  • Instruction Fuzzy Hash: 60621CB06003019BE748DF68D45875ABAE6EB85308F64C85CC1099F392DFBAD94B8FD5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06806FF8 Relevance: .8, Instructions: 780COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2292128345.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6800000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cc2d361fd7b1e85d9eb6e22b5a9fdfff76e7ef52bb1e67ea0d6d6ecd3d5250e8
                                                                                                                                                  • Instruction ID: c7238096ada5e88159b8453952f9814fc875ea21e5daac4f9f1c0f3fee5d7e3c
                                                                                                                                                  • Opcode Fuzzy Hash: cc2d361fd7b1e85d9eb6e22b5a9fdfff76e7ef52bb1e67ea0d6d6ecd3d5250e8
                                                                                                                                                  • Instruction Fuzzy Hash: 7C621CB06003019BE748DF28D45875ABAE6EB85308F64C85CC1099F392DFBAD94B8FD5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 08160006 Relevance: .5, Instructions: 522COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 14bcaf9a8c50aba3ce78e30d432e8b35db1651f61e9ffdc53f26ff1ba9ecb475
                                                                                                                                                  • Instruction ID: 42ccb286d5d2a821787de90835820779d409d2d5878559c879794516db54a08b
                                                                                                                                                  • Opcode Fuzzy Hash: 14bcaf9a8c50aba3ce78e30d432e8b35db1651f61e9ffdc53f26ff1ba9ecb475
                                                                                                                                                  • Instruction Fuzzy Hash: CE321F74E006158FD764DF68C990BADBBB2BF88301F55C2AAC549AB346C734AD81CF90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 08162548 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 03eb36f90f60a20e7690af02ac4dbab291dc39101add538847d8cbbd10d196fe
                                                                                                                                                  • Instruction ID: d758d875ab9ef90c9fe20bbf3add0ec793f13fec75d0b56262a35f695dba7d10
                                                                                                                                                  • Opcode Fuzzy Hash: 03eb36f90f60a20e7690af02ac4dbab291dc39101add538847d8cbbd10d196fe
                                                                                                                                                  • Instruction Fuzzy Hash: 3CC19174E022189FDB44DFA9D584AAEBBF2FF88310F209069E815A7355DB349E41CF50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0135DC74 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2281301029.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_1350000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c4d5dc908bf1dd72a02224fe47d282ff660973856970f5e408bdaa571edb4ea9
                                                                                                                                                  • Instruction ID: e2e115f068c0e3824c873c2e869b0cbaa603dadf90bb9e9d2382381e9a183708
                                                                                                                                                  • Opcode Fuzzy Hash: c4d5dc908bf1dd72a02224fe47d282ff660973856970f5e408bdaa571edb4ea9
                                                                                                                                                  • Instruction Fuzzy Hash: 16A1AE32E0020A8FCF15DFB8C8409DEBBB6FF85704B15456AED05AB265DB71E955CB80
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 08162538 Relevance: .2, Instructions: 241COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 64c671b19e06e6b6c8034cb55c4844203ee6d17bf2549bea93c13eaff279afaf
                                                                                                                                                  • Instruction ID: 06d4fe654b9936f5065e5a45273a4a830353a02ed2a808106e6212edcef05ada
                                                                                                                                                  • Opcode Fuzzy Hash: 64c671b19e06e6b6c8034cb55c4844203ee6d17bf2549bea93c13eaff279afaf
                                                                                                                                                  • Instruction Fuzzy Hash: 77A1B174E022089FDB44DFA9D984AEEBBF2FF88310F209069E854AB355D7349A51CF50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 08162188 Relevance: .2, Instructions: 238COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 092d3c82d01c6b0e2291972ed22cd04a8dc520845dbe88bb9a5199263edf2a78
                                                                                                                                                  • Instruction ID: 88884ba007045537aeacb609892e2d9b5a391ad9ba33350caff67d8122d0d66a
                                                                                                                                                  • Opcode Fuzzy Hash: 092d3c82d01c6b0e2291972ed22cd04a8dc520845dbe88bb9a5199263edf2a78
                                                                                                                                                  • Instruction Fuzzy Hash: B5B1A274E012498FDB24CFA8C584A8EFBF1FF49322F55C199D858AB215D730E995CBA0
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 08168E90 Relevance: .2, Instructions: 232COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 439e4c2bd527affbefb45a93710f6c0e7e9f6f07dd5a35995618e0e24e69c186
                                                                                                                                                  • Instruction ID: 82c77b3278a0d5e6327d70640dbf86ef9c4d4b24ccf72b102682d0b8f6adcbf8
                                                                                                                                                  • Opcode Fuzzy Hash: 439e4c2bd527affbefb45a93710f6c0e7e9f6f07dd5a35995618e0e24e69c186
                                                                                                                                                  • Instruction Fuzzy Hash: F1B1D574E01229CFDB68DF69C894B9DBBB2BF89304F1084AAD409AB354DB315E85CF50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 08168298 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5e046d701d4c8d266c60aa4f7984ede8de21ce5bbcfd0aa641a06800ab218815
                                                                                                                                                  • Instruction ID: 61b9cfbcb3ce42c365ca814b0580b244e500af3eb4ec674a26ada7ada0292c68
                                                                                                                                                  • Opcode Fuzzy Hash: 5e046d701d4c8d266c60aa4f7984ede8de21ce5bbcfd0aa641a06800ab218815
                                                                                                                                                  • Instruction Fuzzy Hash: 6A61F370E012188FEB68DF66C890B9EBBB2BF88301F14C1A9C54DAB254DB315A91CF51
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 08163599 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 275264bfefa60f51ef88457a12c731131e1929c877586d19106dac82a1d2fd84
                                                                                                                                                  • Instruction ID: 5d723d859eecd9f1c9b6a621e3608f4654602e220d409c3c7a1e6333a4241ebf
                                                                                                                                                  • Opcode Fuzzy Hash: 275264bfefa60f51ef88457a12c731131e1929c877586d19106dac82a1d2fd84
                                                                                                                                                  • Instruction Fuzzy Hash: AD41EC71E012288FEB68CFAAD9407DEFBB2BF89300F14C1AAD549A7250DB301985CF51
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 08162DC0 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 92040c4c4f7595689bd325e27cd8049045a1d4af24449e299e51ee83dcd9cbb8
                                                                                                                                                  • Instruction ID: 635b45156b8d6849636d6f33be79923b11df9e13bf0fb40aae3588bff0e3c4c8
                                                                                                                                                  • Opcode Fuzzy Hash: 92040c4c4f7595689bd325e27cd8049045a1d4af24449e299e51ee83dcd9cbb8
                                                                                                                                                  • Instruction Fuzzy Hash: 9441D6B1E002188FDB58DFAAD8407DEBBF2BF88310F14C06AD459AB254DB341945CF50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 08168E8F Relevance: .1, Instructions: 89COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 042729122d80235f89ee30f7a2e16e86debdd9ed2533d02dcd6f6737f207f490
                                                                                                                                                  • Instruction ID: 67734d2edb78afa356769dc79f4cca2fa1267d8615989791d52abf65b37994fa
                                                                                                                                                  • Opcode Fuzzy Hash: 042729122d80235f89ee30f7a2e16e86debdd9ed2533d02dcd6f6737f207f490
                                                                                                                                                  • Instruction Fuzzy Hash: 8A31D771D016299BEB18CFA6C84479EFAB3AFC9300F14C06AC819AB255DB711986CF50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 08164070 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.2299630232.0000000008160000.00000040.00000800.00020000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_8160000_XHr735qu8v.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3a8ae39db69ae23aaeb714cf17868dd47d5e23a019bcad2c4be0e7209cd640b4
                                                                                                                                                  • Instruction ID: 4a2c22651e075ead2e1454d4336c73c2c992bb47be75641bda3be9b39ad5dda5
                                                                                                                                                  • Opcode Fuzzy Hash: 3a8ae39db69ae23aaeb714cf17868dd47d5e23a019bcad2c4be0e7209cd640b4
                                                                                                                                                  • Instruction Fuzzy Hash: E231C2B5E012588BEB18CFAAD9446DEBBF2BFC8310F24C13AD419AB254DB341946CF40
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%