Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CQPfRTSy7N.exe

Overview

General Information

Sample name:CQPfRTSy7N.exe
renamed because original name is a hash value
Original sample name:8ddbe91dac2d37f344e4e8dd94dc73ee.exe
Analysis ID:1431193
MD5:8ddbe91dac2d37f344e4e8dd94dc73ee
SHA1:7928fb3558db9214709fd473597c52bc72f761dc
SHA256:aad1d01aac286d947ba465b0a639add4188cd87aff233946b293f3fd91986438
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic
Yara detected RedLine Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Installs new ROOT certificates
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • CQPfRTSy7N.exe (PID: 7476 cmdline: "C:\Users\user\Desktop\CQPfRTSy7N.exe" MD5: 8DDBE91DAC2D37F344E4E8DD94DC73EE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["103.113.70.99:2630"], "Bot Id": "spoo", "Authorization Header": "a442868c38da8722ebccd4819def00b2"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
CQPfRTSy7N.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1644098061.0000000000252000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Process Memory Space: CQPfRTSy7N.exe PID: 7476JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 1 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.CQPfRTSy7N.exe.250000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:04/24/24-17:17:03.848215
                    SID:2046056
                    Source Port:2630
                    Destination Port:49730
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-17:16:58.305529
                    SID:2046045
                    Source Port:49730
                    Destination Port:2630
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-17:17:11.241423
                    SID:2043231
                    Source Port:49730
                    Destination Port:2630
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-17:16:58.564160
                    SID:2043234
                    Source Port:2630
                    Destination Port:49730
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: CQPfRTSy7N.exeMalware Configuration Extractor: RedLine {"C2 url": ["103.113.70.99:2630"], "Bot Id": "spoo", "Authorization Header": "a442868c38da8722ebccd4819def00b2"}
                    Source: CQPfRTSy7N.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: CQPfRTSy7N.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: OProcSessIdntkrnlmp.pdbx, source: CQPfRTSy7N.exe, 00000000.00000002.1796744623.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: WINLOA~1.PDBwinload_prod.pdb-1051b.log source: CQPfRTSy7N.exe, 00000000.00000002.1796744623.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49730 -> 103.113.70.99:2630
                    Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49730 -> 103.113.70.99:2630
                    Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 103.113.70.99:2630 -> 192.168.2.4:49730
                    Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 103.113.70.99:2630 -> 192.168.2.4:49730
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 103.113.70.99:2630
                    Source: global trafficTCP traffic: 192.168.2.4:49730 -> 103.113.70.99:2630
                    Source: Joe Sandbox ViewIP Address: 103.113.70.99 103.113.70.99
                    Source: Joe Sandbox ViewASN Name: NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9K
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000029E4000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15V
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000029E4000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000029E4000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000029DC000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000029E4000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                    Source: CQPfRTSy7N.exeString found in binary or memory: https://api.ip.sb/ip
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp64B0.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp64C1.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeCode function: 0_2_0097DC740_2_0097DC74
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeCode function: 0_2_05E967D80_2_05E967D8
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeCode function: 0_2_05E9A3D80_2_05E9A3D8
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeCode function: 0_2_05E93F500_2_05E93F50
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeCode function: 0_2_05E96FE80_2_05E96FE8
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeCode function: 0_2_05E96FF80_2_05E96FF8
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirefox.exe0 vs CQPfRTSy7N.exe
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs CQPfRTSy7N.exe
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs CQPfRTSy7N.exe
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs CQPfRTSy7N.exe
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs CQPfRTSy7N.exe
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs CQPfRTSy7N.exe
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q,\\StringFileInfo\\080904B0\\OriginalFilename vs CQPfRTSy7N.exe
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs CQPfRTSy7N.exe
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1795942217.00000000009DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs CQPfRTSy7N.exe
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs CQPfRTSy7N.exe
                    Source: CQPfRTSy7N.exe, 00000000.00000000.1644121145.0000000000296000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUpspearing.exe8 vs CQPfRTSy7N.exe
                    Source: CQPfRTSy7N.exeBinary or memory string: OriginalFilenameUpspearing.exe8 vs CQPfRTSy7N.exe
                    Source: CQPfRTSy7N.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/5@0/1
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp64B0.tmpJump to behavior
                    Source: CQPfRTSy7N.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: CQPfRTSy7N.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: esdsip.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                    Source: Google Chrome.lnk.0.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: CQPfRTSy7N.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: CQPfRTSy7N.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: CQPfRTSy7N.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: OProcSessIdntkrnlmp.pdbx, source: CQPfRTSy7N.exe, 00000000.00000002.1796744623.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: WINLOA~1.PDBwinload_prod.pdb-1051b.log source: CQPfRTSy7N.exe, 00000000.00000002.1796744623.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp
                    Source: CQPfRTSy7N.exeStatic PE information: 0xF0DBE6BE [Sun Jan 19 04:14:54 2098 UTC]
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeCode function: 0_2_05E9E060 push es; ret 0_2_05E9E070
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeCode function: 0_2_05E9ECF2 push eax; ret 0_2_05E9ED01
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeCode function: 0_2_05E949AB push FFFFFF8Bh; retf 0_2_05E949AD
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeCode function: 0_2_05E93B4F push dword ptr [esp+ecx*2-75h]; ret 0_2_05E93B53

                    Persistence and Installation Behavior

                    barindex
                    Installs new ROOT certificates
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeMemory allocated: 930000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeMemory allocated: 2680000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeMemory allocated: 2470000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeWindow / User API: threadDelayed 1447Jump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeWindow / User API: threadDelayed 8338Jump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exe TID: 7600Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1817925765.0000000005EEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeQueries volume information: C:\Users\user\Desktop\CQPfRTSy7N.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1818134383.0000000005F7C000.00000004.00000020.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1796744623.0000000000A7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: CQPfRTSy7N.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.CQPfRTSy7N.exe.250000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1644098061.0000000000252000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: CQPfRTSy7N.exe PID: 7476, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000029E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1820292281.0000000007298000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\*.json
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR^qt
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1820292281.0000000007298000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\*.json
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q%appdata%`,^qdC:\Users\user\AppData\Roaming`,^qdC:\Users\user\AppData\Roaming\Binance
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q&%localappdata%\Coinomi\Coinomi\walletsLR^q
                    Source: CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Users\user\Desktop\CQPfRTSy7N.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: Yara matchFile source: 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: CQPfRTSy7N.exe PID: 7476, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: CQPfRTSy7N.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.CQPfRTSy7N.exe.250000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1644098061.0000000000252000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: CQPfRTSy7N.exe PID: 7476, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		231
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol3
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                    Virtualization/Sandbox Evasion                    		Security Account Manager241
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Obfuscated Files or Information                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Install Root Certificate                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Timestomp                    		Cached Domain Credentials113
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    No Antivirus matches

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ip.sb/ip0%URL Reputationsafe
                    http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15V0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                    http://tempuri.org/0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id8ResponseD0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sctCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id14ResponseDCQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id23ResponseDCQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id12ResponseCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id2ResponseCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id15VCQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id21ResponseCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id9CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000029DC000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id8CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id6ResponseDCQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id5CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id4CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id7CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id6CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id19ResponseCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id13ResponseDCQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/faultCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2004/10/wsatCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id15ResponseCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://tempuri.org/Entity/Id5ResponseDCQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id6ResponseCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://api.ip.sb/ipCQPfRTSy7N.exefalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2004/04/scCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/Entity/Id1ResponseDCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id9ResponseCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://tempuri.org/Entity/Id20CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://tempuri.org/Entity/Id21CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://tempuri.org/Entity/Id22CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id23CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id24CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id24ResponseCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://tempuri.org/Entity/Id1ResponseCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id21ResponseDCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressingCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/04/trustCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/Entity/Id10CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://tempuri.org/Entity/Id11CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://tempuri.org/Entity/Id10ResponseDCQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000029E4000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://tempuri.org/Entity/Id12CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://tempuri.org/Entity/Id16ResponseCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Entity/Id13CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id14CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id15CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id16CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/NonceCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://tempuri.org/Entity/Id17CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id18CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id5ResponseCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id19CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id15ResponseDCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id10ResponseCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RenewCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id11ResponseDCQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id8ResponseCQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000028BA000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2006/02/addressingidentityCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id17ResponseDCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/soap/envelope/CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id8ResponseDCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, CQPfRTSy7N.exe, 00000000.00000002.1797250699.00000000027C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1CQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trustCQPfRTSy7N.exe, 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high

                                                                                                                          World Map of Contacted IPs

                                                                                                                          • No. of IPs < 25%
                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                          • 75% < No. of IPs

                                                                                                                          Public IPs

                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                          103.113.70.99
                                                                                                                          		unknownIndia
                                                                                                                          		133973NETCONNECTWIFI-ASNetConnectWifiPvtLtdINtrue

                                                                                                                          General Information

                                                                                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                          Analysis ID:1431193
                                                                                                                          Start date and time:2024-04-24 17:16:06 +02:00
                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                          Overall analysis duration:0h 4m 47s
                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                          Report type:full
                                                                                                                          Cookbook file name:default.jbs
                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                          Number of analysed new started processes analysed:6
                                                                                                                          Number of new started drivers analysed:0
                                                                                                                          Number of existing processes analysed:0
                                                                                                                          Number of existing drivers analysed:0
                                                                                                                          Number of injected processes analysed:0
                                                                                                                          Technologies:
                                                                                                                          • HCA enabled
                                                                                                                          • EGA enabled
                                                                                                                          • AMSI enabled
                                                                                                                          Analysis Mode:default
                                                                                                                          Analysis stop reason:Timeout
                                                                                                                          Sample name:CQPfRTSy7N.exe
                                                                                                                          renamed because original name is a hash value
                                                                                                                          Original Sample Name:8ddbe91dac2d37f344e4e8dd94dc73ee.exe
                                                                                                                          Detection:MAL
                                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@1/5@0/1
                                                                                                                          EGA Information:
                                                                                                                          • Successful, ratio: 100%
                                                                                                                          HCA Information:
                                                                                                                          • Successful, ratio: 99%
                                                                                                                          • Number of executed functions: 87
                                                                                                                          • Number of non-executed functions: 4
                                                                                                                          Cookbook Comments:
                                                                                                                          • Found application associated with file extension: .exe

                                                                                                                          Warnings

                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                          • VT rate limit hit for: CQPfRTSy7N.exe

                                                                                                                          Simulations

                                                                                                                          Behavior and APIs

                                                                                                                          TimeTypeDescription
                                                                                                                          17:17:03API Interceptor59x Sleep call for process: CQPfRTSy7N.exe modified

                                                                                                                          Joe Sandbox View / Context

                                                                                                                          IPs

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          103.113.70.99G4jZEW68K1.exeGet hashmaliciousRedLineBrowse
                                                                                                                            X8K556WeiK.exeGet hashmaliciousRedLineBrowse
                                                                                                                              X8K556WeiK.exeGet hashmaliciousRedLineBrowse
                                                                                                                                dmA2g7xZV7.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  dmA2g7xZV7.exeGet hashmaliciousRedLineBrowse
                                                                                                                                    K2xdxHSWJK.exeGet hashmaliciousRedLineBrowse
                                                                                                                                      XHr735qu8v.exeGet hashmaliciousRedLineBrowse
                                                                                                                                        gm5v3JlTMk.exeGet hashmaliciousRedLineBrowse
                                                                                                                                          o8uKhd6peZ.exeGet hashmaliciousRedLineBrowse
                                                                                                                                            vguZEL1YWf.exeGet hashmaliciousRedLineBrowse

                                                                                                                                              Domains

                                                                                                                                              No context

                                                                                                                                              ASNs

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                              NETCONNECTWIFI-ASNetConnectWifiPvtLtdING4jZEW68K1.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 103.113.70.99
                                                                                                                                              X8K556WeiK.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 103.113.70.99
                                                                                                                                              X8K556WeiK.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 103.113.70.99
                                                                                                                                              dmA2g7xZV7.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 103.113.70.99
                                                                                                                                              dmA2g7xZV7.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 103.113.70.99
                                                                                                                                              K2xdxHSWJK.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 103.113.70.99
                                                                                                                                              XHr735qu8v.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 103.113.70.99
                                                                                                                                              gm5v3JlTMk.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 103.113.70.99
                                                                                                                                              o8uKhd6peZ.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 103.113.70.99
                                                                                                                                              vguZEL1YWf.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 103.113.70.99

                                                                                                                                              JA3 Fingerprints

                                                                                                                                              No context

                                                                                                                                              Dropped Files

                                                                                                                                              No context

                                                                                                                                              Created / dropped Files

                                                                                                                                              C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\Desktop\CQPfRTSy7N.exe
                                                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:30 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):2104
                                                                                                                                              Entropy (8bit):3.4557451022122865
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:48:8SNRdATkoGRYrnvPdAKRkdAGdAKRFdAKR/U:8Syt
                                                                                                                                              MD5:570ED05781B566C59B900BB2140A0985
                                                                                                                                              SHA1:93CAC94A5B10F2D3FAEA4F9EBF0DBD1A4380796A
                                                                                                                                              SHA-256:79304BC94B59FA80D0AD762E41952F000C38B788BBA6318851EF29F409DAFCC3
                                                                                                                                              SHA-512:919BF9E6B943CF3C8EF513A99A87A3A30C6D0E8A45858FCFA75573CF7B038593FD8318C2DDFD23B5F55E81FA3E51650D447C027D403FB21A8FD9DDD85D2192C1
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              Preview:L..................F.@.. ......,.............q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IDW5`....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWP`....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWP`....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWP`..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDWI`..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CQPfRTSy7N.exe.log

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\Desktop\CQPfRTSy7N.exe
                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):3274
                                                                                                                                              Entropy (8bit):5.3318368586986695
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlq0
                                                                                                                                              MD5:0C1110E9B7BBBCB651A0B7568D796468
                                                                                                                                              SHA1:7AEE00407EE27655FFF0ADFBC96CF7FAD9610AAA
                                                                                                                                              SHA-256:112E21404A85963FB5DF8388F97429D6A46E9D4663435CC86267C563C0951FA2
                                                                                                                                              SHA-512:46E37552764B4E61006AB99F8C542D55B2418668B097D3C6647D306604C3D7CA3FAF34F8B4121D94B0E7168295B2ABEB7C21C3B96F37208943537B887BC81590
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                              C:\Users\user\AppData\Local\Temp\Tmp64B0.tmp

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\Desktop\CQPfRTSy7N.exe
                                                                                                                                              File Type:data
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):2662
                                                                                                                                              Entropy (8bit):7.8230547059446645
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                              MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                              SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                              SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                              SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                              Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                              C:\Users\user\AppData\Local\Temp\Tmp64C1.tmp

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\Desktop\CQPfRTSy7N.exe
                                                                                                                                              File Type:data
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):2662
                                                                                                                                              Entropy (8bit):7.8230547059446645
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                              MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                              SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                              SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                              SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                              Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\Desktop\CQPfRTSy7N.exe
                                                                                                                                              File Type:data
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):2251
                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3::
                                                                                                                                              MD5:0158FE9CEAD91D1B027B795984737614
                                                                                                                                              SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                                                                                                                                              SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                                                                                                                                              SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                              Static File Info

                                                                                                                                              General

                                                                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                              Entropy (8bit):5.047896203911261
                                                                                                                                              TrID:
                                                                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                              File name:CQPfRTSy7N.exe
                                                                                                                                              File size:314'078 bytes
                                                                                                                                              MD5:8ddbe91dac2d37f344e4e8dd94dc73ee
                                                                                                                                              SHA1:7928fb3558db9214709fd473597c52bc72f761dc
                                                                                                                                              SHA256:aad1d01aac286d947ba465b0a639add4188cd87aff233946b293f3fd91986438
                                                                                                                                              SHA512:53e8cbf1bfec48b697034e1df60e218929e58451ffb23c17323a15ca405bc35eb449824e727ae71db9229cee0fafaffc01f3fc3aea874c0546a3e21c700f8f16
                                                                                                                                              SSDEEP:6144:/qY6irwP7YfmrYiJv7TAPAzdcZqf7DI/L:/nwPkiJvGAzdcUzs/
                                                                                                                                              TLSH:79645C1823EC8911E27F4B7994A1E274D375ED56A452E30F4ED06CAB3E32741FA11AB2
                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. ....................... ............@................................

                                                                                                                                              File Icon

                                                                                                                                              Icon Hash:4d8ea38d85a38e6d

                                                                                                                                              Static PE Info

                                                                                                                                              General

                                                                                                                                              Entrypoint:0x42b9ae
                                                                                                                                              Entrypoint Section:.text
                                                                                                                                              Digitally signed:false
                                                                                                                                              Imagebase:0x400000
                                                                                                                                              Subsystem:windows gui
                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                              Time Stamp:0xF0DBE6BE [Sun Jan 19 04:14:54 2098 UTC]
                                                                                                                                              TLS Callbacks:
                                                                                                                                              CLR (.Net) Version:
                                                                                                                                              OS Version Major:4
                                                                                                                                              OS Version Minor:0
                                                                                                                                              File Version Major:4
                                                                                                                                              File Version Minor:0
                                                                                                                                              Subsystem Version Major:4
                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                              Entrypoint Preview

                                                                                                                                              Instruction
                                                                                                                                              jmp dword ptr [00402000h]
                                                                                                                                              popad
                                                                                                                                              add byte ptr [ebp+00h], dh
                                                                                                                                              je 00007F45D57461B2h
                                                                                                                                              outsd
                                                                                                                                              add byte ptr [esi+00h], ah
                                                                                                                                              imul eax, dword ptr [eax], 006C006Ch
                                                                                                                                              xor eax, 59007400h
                                                                                                                                              add byte ptr [edi+00h], dl
                                                                                                                                              push edx
                                                                                                                                              add byte ptr [ecx+00h], dh
                                                                                                                                              popad
                                                                                                                                              add byte ptr [edi+00h], dl
                                                                                                                                              push esi
                                                                                                                                              add byte ptr [edi+00h], ch
                                                                                                                                              popad
                                                                                                                                              add byte ptr [ebp+00h], ch
                                                                                                                                              push 61006800h
                                                                                                                                              add byte ptr [ebp+00h], ch
                                                                                                                                              dec edx
                                                                                                                                              add byte ptr [eax], bh
                                                                                                                                              add byte ptr [edi+00h], dl
                                                                                                                                              push edi
                                                                                                                                              add byte ptr [ecx], bh
                                                                                                                                              add byte ptr [ecx+00h], bh
                                                                                                                                              bound eax, dword ptr [eax]
                                                                                                                                              xor al, byte ptr [eax]
                                                                                                                                              insb
                                                                                                                                              add byte ptr [eax+00h], bl
                                                                                                                                              pop ecx
                                                                                                                                              add byte ptr [edi+00h], dl
                                                                                                                                              js 00007F45D57461B2h
                                                                                                                                              jnc 00007F45D57461B2h
                                                                                                                                              pop edx
                                                                                                                                              add byte ptr [eax+00h], bl
                                                                                                                                              push ecx
                                                                                                                                              add byte ptr [ebx+00h], cl
                                                                                                                                              popad
                                                                                                                                              add byte ptr [edi+00h], dl
                                                                                                                                              dec edx
                                                                                                                                              add byte ptr [ebp+00h], dh
                                                                                                                                              pop edx
                                                                                                                                              add byte ptr [edi+00h], dl
                                                                                                                                              jo 00007F45D57461B2h
                                                                                                                                              imul eax, dword ptr [eax], 5Ah
                                                                                                                                              add byte ptr [ebp+00h], ch
                                                                                                                                              jo 00007F45D57461B2h
                                                                                                                                              je 00007F45D57461B2h
                                                                                                                                              bound eax, dword ptr [eax]
                                                                                                                                              push edi
                                                                                                                                              add byte ptr [eax+eax+77h], dh
                                                                                                                                              add byte ptr [ecx+00h], bl
                                                                                                                                              xor al, byte ptr [eax]
                                                                                                                                              xor eax, 63007300h
                                                                                                                                              add byte ptr [edi+00h], al
                                                                                                                                              push esi
                                                                                                                                              add byte ptr [ecx+00h], ch
                                                                                                                                              popad
                                                                                                                                              add byte ptr [edx], dh
                                                                                                                                              add byte ptr [eax+00h], bh
                                                                                                                                              je 00007F45D57461B2h
                                                                                                                                              bound eax, dword ptr [eax]
                                                                                                                                              insd
                                                                                                                                              add byte ptr [eax+eax+76h], dh
                                                                                                                                              add byte ptr [edx+00h], bl
                                                                                                                                              push edi
                                                                                                                                              add byte ptr [ecx], bh
                                                                                                                                              add byte ptr [eax+00h], dh
                                                                                                                                              popad
                                                                                                                                              add byte ptr [edi+00h], al
                                                                                                                                              cmp dword ptr [eax], eax
                                                                                                                                              insd
                                                                                                                                              add byte ptr [edx+00h], bl
                                                                                                                                              push edi
                                                                                                                                              add byte ptr [esi+00h], cl
                                                                                                                                              cmp byte ptr [eax], al
                                                                                                                                              push esi
                                                                                                                                              add byte ptr [eax+00h], cl
                                                                                                                                              dec edx
                                                                                                                                              add byte ptr [esi+00h], dh
                                                                                                                                              bound eax, dword ptr [eax]
                                                                                                                                              insd
                                                                                                                                              add byte ptr [eax+00h], bh
                                                                                                                                              jo 00007F45D57461B2h
                                                                                                                                              bound eax, dword ptr [eax]
                                                                                                                                              insd
                                                                                                                                              add byte ptr [ebx+00h], dh

                                                                                                                                              Data Directories

                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x2b95c0x4f.text
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x320000x1c9d4.rsrc
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x500000xc.reloc
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x2b9400x1c.text
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                              Sections

                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                              .text0x20000x2e9940x2ec0064c48738b5efa1379746874c338807d5False0.4696168950534759data6.205450376900145IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                              .rsrc0x320000x1c9d40x1cc005b3e8f48de8a05507379330b3cf331a7False0.23725373641304348data2.6063301335912525IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                              .reloc0x500000xc0x400f921873e0b7f3fe3399366376917ef43False0.025390625data0.05390218305374581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                              Resources

                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                              RT_ICON0x321a00x3d04PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9934058898847631
                                                                                                                                              RT_ICON0x35eb40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.09013072282030049
                                                                                                                                              RT_ICON0x466ec0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.13905290505432216
                                                                                                                                              RT_ICON0x4a9240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.17033195020746889
                                                                                                                                              RT_ICON0x4cedc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.2045028142589118
                                                                                                                                              RT_ICON0x4df940x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.24645390070921985
                                                                                                                                              RT_GROUP_ICON0x4e40c0x5adata0.7666666666666667
                                                                                                                                              RT_VERSION0x4e4780x35adata0.4417249417249417
                                                                                                                                              RT_MANIFEST0x4e7e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                              Imports

                                                                                                                                              DLLImport
                                                                                                                                              mscoree.dll_CorExeMain

                                                                                                                                              Network Behavior

                                                                                                                                              Snort IDS Alerts

                                                                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                              04/24/24-17:17:03.848215TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)263049730103.113.70.99192.168.2.4
                                                                                                                                              04/24/24-17:16:58.305529TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)497302630192.168.2.4103.113.70.99
                                                                                                                                              04/24/24-17:17:11.241423TCP2043231ET TROJAN Redline Stealer TCP CnC Activity497302630192.168.2.4103.113.70.99
                                                                                                                                              04/24/24-17:16:58.564160TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response263049730103.113.70.99192.168.2.4

                                                                                                                                              Network Port Distribution

                                                                                                                                              TCP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Apr 24, 2024 17:16:57.713361979 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:16:57.947621107 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:16:57.947721958 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:16:58.019289970 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:16:58.241540909 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:16:58.293817997 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:16:58.305529118 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:16:58.564160109 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:16:58.606405973 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:03.625230074 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:03.848215103 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:03.848279953 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:03.848335981 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:03.848367929 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:03.848426104 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:03.848468065 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:03.848495007 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:03.903191090 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:03.969403028 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:04.191030979 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:04.231302023 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:04.656723976 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:04.894135952 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:04.961925030 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:05.004431963 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:05.239358902 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:05.241679907 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:05.462407112 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:05.466764927 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:05.687500000 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:05.691534996 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:05.917704105 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:05.924993992 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:06.162731886 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:06.165117979 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:06.215651035 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:06.266926050 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:06.528126955 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:06.549731016 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:06.569863081 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:06.594506979 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:06.831042051 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:06.871913910 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:06.930207014 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:07.151151896 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:07.152972937 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:07.375121117 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:07.418783903 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:07.500134945 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:07.724733114 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:07.727513075 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:08.024907112 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:08.150280952 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:08.152410984 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:08.386890888 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:08.391042948 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:08.611785889 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:08.618439913 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:08.839406967 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:08.850367069 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:09.071222067 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.121932030 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:09.147186995 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:09.373333931 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.373528004 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:09.380635023 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.380736113 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.380775928 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:09.380844116 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:09.380878925 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.380964994 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:09.381081104 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.381139040 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:09.631889105 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.653829098 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.675641060 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.676058054 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:09.689819098 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.697395086 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.697494030 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:09.719150066 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.740927935 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.760435104 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.760593891 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.760917902 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:09.761004925 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:09.897574902 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.897779942 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.897933960 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.898037910 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.916462898 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.916692019 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.917423964 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.935995102 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:09.936301947 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:09.936424017 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:10.024173975 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.024290085 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.024451971 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.024564028 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.024769068 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.025043964 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.025489092 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:10.025616884 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:10.156429052 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.156472921 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.156580925 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.156889915 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.157270908 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.157358885 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.157618999 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.157695055 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.158303976 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.158379078 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.158603907 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.158620119 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.158693075 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.159034014 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.159348965 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.159461975 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.159492970 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.159588099 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.160242081 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.160264969 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.161587954 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.162005901 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:10.162092924 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:10.248126984 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.248157978 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.248172998 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.248188019 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.248203039 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.248389959 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.248423100 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.248486996 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.248549938 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.248604059 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.248748064 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:10.248859882 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:10.389379025 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.389409065 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.389616013 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.389635086 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.389722109 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.389736891 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.389751911 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.389868021 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.389882088 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.390018940 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.390135050 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:10.390229940 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:10.493479013 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.508800983 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.508852959 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.508861065 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.508924007 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.509722948 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.562750101 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.563014984 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:10.563132048 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:10.616677999 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.616703987 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.616929054 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.617012978 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.617144108 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.663414955 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.663753986 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:10.795793056 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.795816898 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.796231985 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.796277046 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.796528101 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.850270987 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.945113897 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.966912985 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.968533039 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.968609095 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.969077110 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.969317913 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.973835945 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:10.979203939 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:11.240537882 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:11.241422892 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:11.490875006 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                              Apr 24, 2024 17:17:11.543833017 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                              Apr 24, 2024 17:17:11.615153074 CEST497302630192.168.2.4103.113.70.99

                                                                                                                                              Statistics

                                                                                                                                              CPU Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              Memory Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              High Level Behavior Distribution

                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                              System Behavior

                                                                                                                                              General

                                                                                                                                              Target ID:0
                                                                                                                                              Start time:17:16:55
                                                                                                                                              Start date:24/04/2024
                                                                                                                                              Path:C:\Users\user\Desktop\CQPfRTSy7N.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Users\user\Desktop\CQPfRTSy7N.exe"
                                                                                                                                              Imagebase:0x250000
                                                                                                                                              File size:314'078 bytes
                                                                                                                                              MD5 hash:8DDBE91DAC2D37F344E4E8DD94DC73EE
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1644098061.0000000000252000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1797250699.0000000002728000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1797250699.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              Reputation:low
                                                                                                                                              Has exited:true

                                                                                                                                              Disassembly

                                                                                                                                              Reset < >

                                                                                                                                                Execution Graph

                                                                                                                                                Execution Coverage:6.8%
                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                Signature Coverage:0%
                                                                                                                                                Total number of Nodes:52
                                                                                                                                                Total number of Limit Nodes:9
                                                                                                                                                execution_graph 28944 97d300 DuplicateHandle 28945 97d396 28944->28945 28946 97d0b8 28947 97d0fe GetCurrentProcess 28946->28947 28949 97d150 GetCurrentThread 28947->28949 28950 97d149 28947->28950 28951 97d186 28949->28951 28952 97d18d GetCurrentProcess 28949->28952 28950->28949 28951->28952 28953 97d1c3 28952->28953 28954 97d1eb GetCurrentThreadId 28953->28954 28955 97d21c 28954->28955 28956 97ad38 28960 97ae30 28956->28960 28968 97ae20 28956->28968 28957 97ad47 28961 97ae41 28960->28961 28963 97ae64 28960->28963 28961->28963 28976 97b0b8 28961->28976 28980 97b0c8 28961->28980 28962 97ae5c 28962->28963 28964 97b068 GetModuleHandleW 28962->28964 28963->28957 28965 97b095 28964->28965 28965->28957 28969 97ae41 28968->28969 28970 97ae64 28968->28970 28969->28970 28974 97b0b8 LoadLibraryExW 28969->28974 28975 97b0c8 LoadLibraryExW 28969->28975 28970->28957 28971 97ae5c 28971->28970 28972 97b068 GetModuleHandleW 28971->28972 28973 97b095 28972->28973 28973->28957 28974->28971 28975->28971 28977 97b0dc 28976->28977 28979 97b101 28977->28979 28984 97a870 28977->28984 28979->28962 28981 97b0dc 28980->28981 28982 97a870 LoadLibraryExW 28981->28982 28983 97b101 28981->28983 28982->28983 28983->28962 28985 97b2a8 LoadLibraryExW 28984->28985 28987 97b321 28985->28987 28987->28979 28988 974668 28989 974684 28988->28989 28990 974696 28989->28990 28992 9747a0 28989->28992 28993 9747c5 28992->28993 28997 9748a1 28993->28997 29001 9748b0 28993->29001 28998 9748d7 28997->28998 29000 9749b4 28998->29000 29005 974248 28998->29005 29002 9748d7 29001->29002 29003 9749b4 29002->29003 29004 974248 CreateActCtxA 29002->29004 29004->29003 29006 975940 CreateActCtxA 29005->29006 29008 975a03 29006->29008 29008->29008

                                                                                                                                                Executed Functions

                                                                                                                                                Function 05E93F50 Relevance: 1.8, Strings: 1, Instructions: 523COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: $^q
                                                                                                                                                • API String ID: 0-388095546
                                                                                                                                                • Opcode ID: 688f1388488d238085e7b8967257a97b8b6dbdcd0048dbcfaf5de575eea86a55
                                                                                                                                                • Instruction ID: 598be238ff1ca6fa1b7e86e0511544544a3b40dd50be7bd25653d54638d96edd
                                                                                                                                                • Opcode Fuzzy Hash: 688f1388488d238085e7b8967257a97b8b6dbdcd0048dbcfaf5de575eea86a55
                                                                                                                                                • Instruction Fuzzy Hash: FC126174B002158FDB18DF69C484AAEB7F6FF88704B149169D946EB3A5DB31DC42CB90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E967D8 Relevance: .6, Instructions: 556COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c4114b0f9183bc4ed7f103bdd480142697fef68bc875cc8d9013d68fdff08cd7
                                                                                                                                                • Instruction ID: e8e3d30c129a12464bb4ee4db3d7377e40dc34743b7e48edba696b6d8a216429
                                                                                                                                                • Opcode Fuzzy Hash: c4114b0f9183bc4ed7f103bdd480142697fef68bc875cc8d9013d68fdff08cd7
                                                                                                                                                • Instruction Fuzzy Hash: 7F22AE71A002099FDB15DF68D980B9EBBF2FF88304F14856AE545EB261DB30ED46CB90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9A3D8 Relevance: .3, Instructions: 298COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 59ef8b8a9819b1e05ae7c4ba742dcb34e006db0eca8822def90eb6ab298820aa
                                                                                                                                                • Instruction ID: 8c3a23702b4789eb92e19d7621fa7863358cd90a0803222946f24cc648709fee
                                                                                                                                                • Opcode Fuzzy Hash: 59ef8b8a9819b1e05ae7c4ba742dcb34e006db0eca8822def90eb6ab298820aa
                                                                                                                                                • Instruction Fuzzy Hash: 1CD1F730900218CFDB18EFB4D954A9DBBB2FF8A301F1095A9D50AAB395DB35598ACF01
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E80D80 Relevance: 20.2, Strings: 16, Instructions: 238COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 295 5e80d80-5e80dcb 300 5e80efd-5e80f10 295->300 301 5e80dd1-5e80dd3 295->301 305 5e81006-5e81011 300->305 306 5e80f16-5e80f25 300->306 302 5e80dd6-5e80de5 301->302 307 5e80deb-5e80e1d 302->307 308 5e80e9d-5e80ea1 302->308 310 5e81019-5e81022 305->310 315 5e80f2b-5e80f51 306->315 316 5e80fd1-5e80fd5 306->316 343 5e80e1f-5e80e24 307->343 344 5e80e26-5e80e2d 307->344 311 5e80eb0 308->311 312 5e80ea3-5e80eae 308->312 314 5e80eb5-5e80eb8 311->314 312->314 314->310 320 5e80ebe-5e80ec2 314->320 345 5e80f5a-5e80f61 315->345 346 5e80f53-5e80f58 315->346 318 5e80fe4 316->318 319 5e80fd7-5e80fe2 316->319 321 5e80fe6-5e80fe8 318->321 319->321 323 5e80ed1 320->323 324 5e80ec4-5e80ecf 320->324 327 5e81039-5e81066 321->327 328 5e80fea-5e80ff4 321->328 329 5e80ed3-5e80ed5 323->329 324->329 337 5e80ff7-5e81000 328->337 333 5e80edb-5e80ee5 329->333 334 5e81025-5e81032 329->334 347 5e80ee8-5e80ef2 333->347 334->327 337->305 337->306 348 5e80e91-5e80e9b 343->348 349 5e80e2f-5e80e50 344->349 350 5e80e52-5e80e76 344->350 352 5e80f63-5e80f84 345->352 353 5e80f86-5e80faa 345->353 351 5e80fc5-5e80fcf 346->351 347->302 354 5e80ef8 347->354 348->347 349->348 365 5e80e78-5e80e7e 350->365 366 5e80e8e 350->366 351->337 352->351 367 5e80fac-5e80fb2 353->367 368 5e80fc2 353->368 354->310 369 5e80e80 365->369 370 5e80e82-5e80e84 365->370 366->348 371 5e80fb4 367->371 372 5e80fb6-5e80fb8 367->372 368->351 369->366 370->366 371->368 372->368
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817825617.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e80000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                                • API String ID: 0-2449488485
                                                                                                                                                • Opcode ID: 5757fb88cdcdfefb1bda8e526828d96352ea717ad5ad04e746c3fc1e6db56471
                                                                                                                                                • Instruction ID: ecfe9c1e3fad26801d217551e9b8c963a55982a454a332a48c260d6495fae56a
                                                                                                                                                • Opcode Fuzzy Hash: 5757fb88cdcdfefb1bda8e526828d96352ea717ad5ad04e746c3fc1e6db56471
                                                                                                                                                • Instruction Fuzzy Hash: B2918F30B042098FDB09EF69C95897EBBF6BF88304B14945AE44A9B366DF34DC45CB91
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0097D0A8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132threadCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 373 97d0a8-97d147 GetCurrentProcess 377 97d150-97d184 GetCurrentThread 373->377 378 97d149-97d14f 373->378 379 97d186-97d18c 377->379 380 97d18d-97d1c1 GetCurrentProcess 377->380 378->377 379->380 381 97d1c3-97d1c9 380->381 382 97d1ca-97d1e5 call 97d289 380->382 381->382 386 97d1eb-97d21a GetCurrentThreadId 382->386 387 97d223-97d285 386->387 388 97d21c-97d222 386->388 388->387
                                                                                                                                                APIs
                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0097D136
                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 0097D173
                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0097D1B0
                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0097D209
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1795791508.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_970000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                                • String ID: \q[
                                                                                                                                                • API String ID: 2063062207-3824160922
                                                                                                                                                • Opcode ID: 6b03fe5cb4bc505a958daf9c2bd9305f859d01e0cfd9546f1fea38698c995cd8
                                                                                                                                                • Instruction ID: 8f77de20adb38c39ec2bf0120f6fc290b827afcd07b4d94bc2d31ed8516c945d
                                                                                                                                                • Opcode Fuzzy Hash: 6b03fe5cb4bc505a958daf9c2bd9305f859d01e0cfd9546f1fea38698c995cd8
                                                                                                                                                • Instruction Fuzzy Hash: 1F5155B09013498FDB14DFA9D548BEEBBF1EF89304F20C459E019A73A0D7749989CB69
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0097D0B8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 395 97d0b8-97d147 GetCurrentProcess 399 97d150-97d184 GetCurrentThread 395->399 400 97d149-97d14f 395->400 401 97d186-97d18c 399->401 402 97d18d-97d1c1 GetCurrentProcess 399->402 400->399 401->402 403 97d1c3-97d1c9 402->403 404 97d1ca-97d1e5 call 97d289 402->404 403->404 408 97d1eb-97d21a GetCurrentThreadId 404->408 409 97d223-97d285 408->409 410 97d21c-97d222 408->410 410->409
                                                                                                                                                APIs
                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0097D136
                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 0097D173
                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0097D1B0
                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0097D209
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1795791508.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_970000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                                • String ID: \q[
                                                                                                                                                • API String ID: 2063062207-3824160922
                                                                                                                                                • Opcode ID: 676b0b019cba0bcec1b88c9dd81ce81ddbffabec7bfce6b2c482c4b6c1142de2
                                                                                                                                                • Instruction ID: 052948fa4c12e061301768ba2c77591b21999de8db8128f24928f94cf2e4fd46
                                                                                                                                                • Opcode Fuzzy Hash: 676b0b019cba0bcec1b88c9dd81ce81ddbffabec7bfce6b2c482c4b6c1142de2
                                                                                                                                                • Instruction Fuzzy Hash: 3C5145B09013098FDB14DFA9D548B9EBBF1FF89314F20C459E419A73A0D7749988CB69
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E81582 Relevance: 7.8, Strings: 6, Instructions: 335COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 417 5e81582-5e81584 418 5e8158e 417->418 419 5e81598-5e815af 418->419 420 5e815b5-5e815b7 419->420 421 5e815b9-5e815bf 420->421 422 5e815cf-5e815f1 420->422 423 5e815c1 421->423 424 5e815c3-5e815c5 421->424 427 5e81638-5e8163f 422->427 423->422 424->422 428 5e81571-5e81580 427->428 429 5e81645-5e81747 427->429 428->417 432 5e815f3-5e815f7 428->432 433 5e815f9-5e81604 432->433 434 5e81606 432->434 436 5e8160b-5e8160e 433->436 434->436 436->429 439 5e81610-5e81614 436->439 440 5e81623 439->440 441 5e81616-5e81621 439->441 442 5e81625-5e81627 440->442 441->442 444 5e8174a-5e8177c 442->444 445 5e8162d-5e81637 442->445 451 5e8177e-5e81794 call 5e81788 444->451 452 5e81795-5e817a7 444->452 445->427 451->452 456 5e817a9-5e817af 452->456 457 5e817bf-5e817e1 452->457 458 5e817b1 456->458 459 5e817b3-5e817b5 456->459 462 5e817e4-5e817e8 457->462 458->457 459->457 463 5e817ea-5e817ef 462->463 464 5e817f1-5e817f6 462->464 465 5e817fc-5e817ff 463->465 464->465 466 5e81abf-5e81ac7 465->466 467 5e81805-5e8181a 465->467 467->462 469 5e8181c 467->469 470 5e818d8-5e8198b 469->470 471 5e81990-5e819bd 469->471 472 5e81823-5e818d3 469->472 473 5e81a07-5e81a2c 469->473 470->462 492 5e819c3-5e819cd 471->492 493 5e81b36-5e81b73 471->493 472->462 488 5e81a2e-5e81a30 473->488 489 5e81a32-5e81a36 473->489 494 5e81a94-5e81aba 488->494 495 5e81a38-5e81a55 489->495 496 5e81a57-5e81a7a 489->496 498 5e81b00-5e81b2f 492->498 499 5e819d3-5e81a02 492->499 494->462 495->494 516 5e81a7c-5e81a82 496->516 517 5e81a92 496->517 498->493 499->462 518 5e81a84 516->518 519 5e81a86-5e81a88 516->519 517->494 518->517 519->517
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817825617.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e80000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                                • API String ID: 0-2392861976
                                                                                                                                                • Opcode ID: f82f63af0dd8d3e5d9e8a6e63da77be0219d523429f4389a4a6d8e56a703c564
                                                                                                                                                • Instruction ID: b17ffc758fad6fbb543aba6956a0674e2bc9e69ae732a5046f08ea688c3098a2
                                                                                                                                                • Opcode Fuzzy Hash: f82f63af0dd8d3e5d9e8a6e63da77be0219d523429f4389a4a6d8e56a703c564
                                                                                                                                                • Instruction Fuzzy Hash: 8AC10F307146048FDB48ABA8C854A7E77E7FB89704F109869E64B8B3A2DF75DC42CB51
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0097AE30 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 546 97ae30-97ae3f 547 97ae41-97ae4e call 979838 546->547 548 97ae6b-97ae6f 546->548 553 97ae64 547->553 554 97ae50 547->554 550 97ae83-97aec4 548->550 551 97ae71-97ae7b 548->551 557 97aec6-97aece 550->557 558 97aed1-97aedf 550->558 551->550 553->548 603 97ae56 call 97b0b8 554->603 604 97ae56 call 97b0c8 554->604 557->558 559 97af03-97af05 558->559 560 97aee1-97aee6 558->560 565 97af08-97af0f 559->565 562 97aef1 560->562 563 97aee8-97aeef call 97a814 560->563 561 97ae5c-97ae5e 561->553 564 97afa0-97afb7 561->564 567 97aef3-97af01 562->567 563->567 577 97afb9-97b018 564->577 568 97af11-97af19 565->568 569 97af1c-97af23 565->569 567->565 568->569 571 97af25-97af2d 569->571 572 97af30-97af39 call 97a824 569->572 571->572 578 97af46-97af4b 572->578 579 97af3b-97af43 572->579 597 97b01a-97b060 577->597 580 97af4d-97af54 578->580 581 97af69-97af76 578->581 579->578 580->581 582 97af56-97af66 call 97a834 call 97a844 580->582 588 97af99-97af9f 581->588 589 97af78-97af96 581->589 582->581 589->588 598 97b062-97b065 597->598 599 97b068-97b093 GetModuleHandleW 597->599 598->599 600 97b095-97b09b 599->600 601 97b09c-97b0b0 599->601 600->601 603->561 604->561
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0097B086
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1795791508.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_970000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HandleModule
                                                                                                                                                • String ID: \q[
                                                                                                                                                • API String ID: 4139908857-3824160922
                                                                                                                                                • Opcode ID: bba1cc1c34e7a2e0c83f185f41c9da1506e03f2ea0da65f5a5f4f26999f6009d
                                                                                                                                                • Instruction ID: b1a45391f96c94269eb51ad23fd154e027486552e4972b77b924d3ef6114688f
                                                                                                                                                • Opcode Fuzzy Hash: bba1cc1c34e7a2e0c83f185f41c9da1506e03f2ea0da65f5a5f4f26999f6009d
                                                                                                                                                • Instruction Fuzzy Hash: 568157B1A00B058FD724DF29D44179ABBF5FF88300F048A2DE48AD7A50D775E849CB92
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00975935 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 605 975935-975a01 CreateActCtxA 607 975a03-975a09 605->607 608 975a0a-975a64 605->608 607->608 615 975a66-975a69 608->615 616 975a73-975a77 608->616 615->616 617 975a79-975a85 616->617 618 975a88 616->618 617->618 620 975a89 618->620 620->620
                                                                                                                                                APIs
                                                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 009759F1
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1795791508.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_970000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Create
                                                                                                                                                • String ID: \q[
                                                                                                                                                • API String ID: 2289755597-3824160922
                                                                                                                                                • Opcode ID: 2e450033dae9befbd0831d45337f26213e30c3ed0654f58d2713dcfb3ff8f814
                                                                                                                                                • Instruction ID: e7126a426307d3f639d5128f0da6498700796ef024473945ab68e23075377aea
                                                                                                                                                • Opcode Fuzzy Hash: 2e450033dae9befbd0831d45337f26213e30c3ed0654f58d2713dcfb3ff8f814
                                                                                                                                                • Instruction Fuzzy Hash: 0D41E3B1C00659CEDB24CFA9C884BDEBBB5FF45314F24816AD408AB251DBB55946CF90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00974248 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 621 974248-975a01 CreateActCtxA 624 975a03-975a09 621->624 625 975a0a-975a64 621->625 624->625 632 975a66-975a69 625->632 633 975a73-975a77 625->633 632->633 634 975a79-975a85 633->634 635 975a88 633->635 634->635 637 975a89 635->637 637->637
                                                                                                                                                APIs
                                                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 009759F1
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1795791508.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_970000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Create
                                                                                                                                                • String ID: \q[
                                                                                                                                                • API String ID: 2289755597-3824160922
                                                                                                                                                • Opcode ID: 83b4557ce23130a40811cdf46ebeb19647e4f46a71d92f85eb6894d70185f7d1
                                                                                                                                                • Instruction ID: 4965edc44739097c1544f363500d10fa8347fd7df5c0165f551d911f335bc783
                                                                                                                                                • Opcode Fuzzy Hash: 83b4557ce23130a40811cdf46ebeb19647e4f46a71d92f85eb6894d70185f7d1
                                                                                                                                                • Instruction Fuzzy Hash: C741E2B1C00619CBDB24DFA9C844B9EBBF5FF45304F24816AD408AB251DBB56945CF94
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0097D2F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 638 97d2f9-97d394 DuplicateHandle 639 97d396-97d39c 638->639 640 97d39d-97d3ba 638->640 639->640
                                                                                                                                                APIs
                                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0097D387
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1795791508.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_970000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                                • String ID: \q[
                                                                                                                                                • API String ID: 3793708945-3824160922
                                                                                                                                                • Opcode ID: 2e08c6b858bb750baaa07534a3c8e7ced5c4a0b782d3a0713ada497a693dbd02
                                                                                                                                                • Instruction ID: c3cf452cc28ae652729e2255ed691ec25743bf77eb237e504f3ab4168f98c3b9
                                                                                                                                                • Opcode Fuzzy Hash: 2e08c6b858bb750baaa07534a3c8e7ced5c4a0b782d3a0713ada497a693dbd02
                                                                                                                                                • Instruction Fuzzy Hash: 232103B5D002489FDB10CFAAD884AEEBFF4EF48314F14801AE858A3310D374A940CFA4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0097D300 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 643 97d300-97d394 DuplicateHandle 644 97d396-97d39c 643->644 645 97d39d-97d3ba 643->645 644->645
                                                                                                                                                APIs
                                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0097D387
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1795791508.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_970000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                                • String ID: \q[
                                                                                                                                                • API String ID: 3793708945-3824160922
                                                                                                                                                • Opcode ID: f83814e94ab5d9d5fa9b65bd2b97063f49f0672b42ff13a8b77d4a80ede3346a
                                                                                                                                                • Instruction ID: fd89818f686b26c7aee7bec94448d422b425910884a30600aa654ec2012b4351
                                                                                                                                                • Opcode Fuzzy Hash: f83814e94ab5d9d5fa9b65bd2b97063f49f0672b42ff13a8b77d4a80ede3346a
                                                                                                                                                • Instruction Fuzzy Hash: 2221E2B59002089FDB10CFAAD984ADEFBF8EF48324F14801AE918A7310C374A940CFA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0097A870 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 648 97a870-97b2e8 650 97b2f0-97b31f LoadLibraryExW 648->650 651 97b2ea-97b2ed 648->651 652 97b321-97b327 650->652 653 97b328-97b345 650->653 651->650 652->653
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0097B101,00000800,00000000,00000000), ref: 0097B312
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1795791508.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_970000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LibraryLoad
                                                                                                                                                • String ID: \q[
                                                                                                                                                • API String ID: 1029625771-3824160922
                                                                                                                                                • Opcode ID: 5ea59426c1ab29da5eff70b265d4a1a1813a0f8cd43a2dd1e4cfcddb024c2fa4
                                                                                                                                                • Instruction ID: 65e1061216b655f024fa3a04270838a0a1755d0ad9c72bdd8c0bde2d27268451
                                                                                                                                                • Opcode Fuzzy Hash: 5ea59426c1ab29da5eff70b265d4a1a1813a0f8cd43a2dd1e4cfcddb024c2fa4
                                                                                                                                                • Instruction Fuzzy Hash: C11114B6D003498FDB10CF9AD444BDEFBF8EB48310F10842AD929A7211C375A945CFA4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0097B2A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 656 97b2a0-97b2e8 657 97b2f0-97b31f LoadLibraryExW 656->657 658 97b2ea-97b2ed 656->658 659 97b321-97b327 657->659 660 97b328-97b345 657->660 658->657 659->660
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0097B101,00000800,00000000,00000000), ref: 0097B312
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1795791508.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_970000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LibraryLoad
                                                                                                                                                • String ID: \q[
                                                                                                                                                • API String ID: 1029625771-3824160922
                                                                                                                                                • Opcode ID: 3de544d10825e10e573036849af72d1a97e4795de007e92c2261437a9790496e
                                                                                                                                                • Instruction ID: d2589db317c2351607059d57091513a750c75177c40db073af4a0a471ef3bc9a
                                                                                                                                                • Opcode Fuzzy Hash: 3de544d10825e10e573036849af72d1a97e4795de007e92c2261437a9790496e
                                                                                                                                                • Instruction Fuzzy Hash: 8A1114B69002498FDB14CF9AD844BDEFBF4EF48310F14842AD829A7211C375A545CFA4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0097B020 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 663 97b020-97b060 664 97b062-97b065 663->664 665 97b068-97b093 GetModuleHandleW 663->665 664->665 666 97b095-97b09b 665->666 667 97b09c-97b0b0 665->667 666->667
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0097B086
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1795791508.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_970000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HandleModule
                                                                                                                                                • String ID: \q[
                                                                                                                                                • API String ID: 4139908857-3824160922
                                                                                                                                                • Opcode ID: 4405118aed985d209a0fd7810686b8bbd1d2443da1c39dd858a5d6579756c053
                                                                                                                                                • Instruction ID: c0fb2533e688ba0d85bbf7aa699c699e9289f27149ab5036d2047ee72d189653
                                                                                                                                                • Opcode Fuzzy Hash: 4405118aed985d209a0fd7810686b8bbd1d2443da1c39dd858a5d6579756c053
                                                                                                                                                • Instruction Fuzzy Hash: FF11D2B6C00349CFDB20DF9AD444BDEFBF4AB49314F14841AD469A7210C375A545CFA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E97D58 Relevance: 2.6, Strings: 2, Instructions: 147COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 669 5e97d58-5e97dc3 671 5e97e0d-5e97e0f 669->671 672 5e97dc5-5e97dd0 669->672 674 5e97e11-5e97e70 671->674 672->671 673 5e97dd2-5e97dde 672->673 675 5e97e01-5e97e0b 673->675 676 5e97de0-5e97dea 673->676 683 5e97e79-5e97e84 674->683 684 5e97e72-5e97e78 674->684 675->674 678 5e97dec 676->678 679 5e97dee-5e97dfd 676->679 678->679 679->679 680 5e97dff 679->680 680->675 685 5e97eb3-5e97ec8 683->685 686 5e97e86-5e97e94 683->686 684->683 690 5e97ed3-5e97ed9 685->690 696 5e97f0e-5e97f1e 685->696 689 5e97e9b-5e97eb1 686->689 689->690 691 5e97edb 690->691 692 5e97ee3-5e97ee7 690->692 691->692 694 5e97ee9-5e97eed 692->694 695 5e97ef7-5e97efb 692->695 694->695 697 5e97eef 694->697 698 5e97f0b-5e97f0c 695->698 699 5e97efd-5e97f01 695->699 700 5e97f20 696->700 701 5e97f25-5e97f2c 696->701 697->695 698->696 699->698 702 5e97f03 699->702 700->701 702->698
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: \q[$\q[
                                                                                                                                                • API String ID: 0-809297578
                                                                                                                                                • Opcode ID: e56d0ae4a5644d84f06df90e394c5f454d55a6e946a19c16499decccef74a5a7
                                                                                                                                                • Instruction ID: 17bf566ac98c433336b0ba618ac0f462835d2dd499223314767fd882979a1af1
                                                                                                                                                • Opcode Fuzzy Hash: e56d0ae4a5644d84f06df90e394c5f454d55a6e946a19c16499decccef74a5a7
                                                                                                                                                • Instruction Fuzzy Hash: 705127B1E102188BDF18CFA9D845BDEBBB5FF89304F14812ED459AB244DB749846CF80
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E97D4C Relevance: 2.6, Strings: 2, Instructions: 126COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: \q[$\q[
                                                                                                                                                • API String ID: 0-809297578
                                                                                                                                                • Opcode ID: 39cb0742d792075aefcb6d30f6e933888d325345de2138aeb4cd72eaea880edd
                                                                                                                                                • Instruction ID: 90acc4dc9aad881d9c55d734fed5753b81e92ea3505e275aa7517a1ed09e72fb
                                                                                                                                                • Opcode Fuzzy Hash: 39cb0742d792075aefcb6d30f6e933888d325345de2138aeb4cd72eaea880edd
                                                                                                                                                • Instruction Fuzzy Hash: B75137B0E142188BDF18CFA9D88579DBBF1FF49304F14802DD459AB240DB74984ACF80
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E81290 Relevance: 2.6, Strings: 2, Instructions: 124COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817825617.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e80000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: $^q$$^q
                                                                                                                                                • API String ID: 0-355816377
                                                                                                                                                • Opcode ID: 2c74cef5834cb9c2fbd973f651ee35ffb1c7b181daf7db70a9b17b8249fb73a2
                                                                                                                                                • Instruction ID: 4b551659872e2809d7d779a48cbaba51356f059e2b9a655cacfa1e8e3034291f
                                                                                                                                                • Opcode Fuzzy Hash: 2c74cef5834cb9c2fbd973f651ee35ffb1c7b181daf7db70a9b17b8249fb73a2
                                                                                                                                                • Instruction Fuzzy Hash: 3D41C6707446015FEB48ABA9C854A7B36EBBF88704F116429F60A8F3A6DE71DC02C751
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E959D8 Relevance: 1.5, Strings: 1, Instructions: 289COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: d
                                                                                                                                                • API String ID: 0-2564639436
                                                                                                                                                • Opcode ID: c1601b6283edcdf903488e3b9a1a4d898360bb5a7de1254088795d22b64fc96a
                                                                                                                                                • Instruction ID: f896dc268ae3f5fcb4190a01e875b533b6abd88ca8e824cd1b5dc42ef3f3ecbb
                                                                                                                                                • Opcode Fuzzy Hash: c1601b6283edcdf903488e3b9a1a4d898360bb5a7de1254088795d22b64fc96a
                                                                                                                                                • Instruction Fuzzy Hash: A1C15F35600602CFCB15CF28C580D6ABBF2FF89314B16C99AD5999B665D730FC46CB94
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E81BA0 Relevance: 1.4, Instructions: 1436COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817825617.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e80000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 63c0e60050c30fb760559fc7b6672bd6d4db0742ae3c54e7cd6d5b8481119c04
                                                                                                                                                • Instruction ID: d463c176aa6240f6181d8b83eb5c3d9c67f4fbe3edb39dae856774f0b51fe027
                                                                                                                                                • Opcode Fuzzy Hash: 63c0e60050c30fb760559fc7b6672bd6d4db0742ae3c54e7cd6d5b8481119c04
                                                                                                                                                • Instruction Fuzzy Hash: B3C23E34B401189FDB54DFA4C954AADBBB6FF88704F108099E60AAB3A1DB71DD81CF91
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E93DE0 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'^q
                                                                                                                                                • API String ID: 0-1614139903
                                                                                                                                                • Opcode ID: 3f5a6899d5619354cf32d628daebe097165f5782afbdb07c87edddf442f3fb5a
                                                                                                                                                • Instruction ID: 7a972f288e2b2b5171283b27b5415447b78891564d6697f70155bcf58f56360f
                                                                                                                                                • Opcode Fuzzy Hash: 3f5a6899d5619354cf32d628daebe097165f5782afbdb07c87edddf442f3fb5a
                                                                                                                                                • Instruction Fuzzy Hash: 41312171B042508FC719BB38E45066EBBE6EFCA30471448AED446CB365EE34EC078791
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E984D8 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'^q
                                                                                                                                                • API String ID: 0-1614139903
                                                                                                                                                • Opcode ID: 3eddc682f2223896527d6d42848f41b5f27b58e9d374e795205ed1a699a60c28
                                                                                                                                                • Instruction ID: cf4c7b1c12d3afec0c33533f76479546cf639070b08fe1360b08fbd8221b010a
                                                                                                                                                • Opcode Fuzzy Hash: 3eddc682f2223896527d6d42848f41b5f27b58e9d374e795205ed1a699a60c28
                                                                                                                                                • Instruction Fuzzy Hash: E531AE317002098BEB09BB78E4A466E77E7EBC92107104439D60BCB388EE35DD4687D2
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E987A0 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: \q[
                                                                                                                                                • API String ID: 0-3824160922
                                                                                                                                                • Opcode ID: 3054d8f2114f8fc35f5cfeebc0178d977566998f533ea2f3ab9ba2dca9eb69b1
                                                                                                                                                • Instruction ID: b14d66a41bda04bf2cc63f6073d9826f9bdda8cdcd40fc0740e23c2106650e86
                                                                                                                                                • Opcode Fuzzy Hash: 3054d8f2114f8fc35f5cfeebc0178d977566998f533ea2f3ab9ba2dca9eb69b1
                                                                                                                                                • Instruction Fuzzy Hash: 1941F2B1D05208DFDF18DFAAD944ADEFBF6AF88314F10802AE459A7250DB30A945CF90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E984C8 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'^q
                                                                                                                                                • API String ID: 0-1614139903
                                                                                                                                                • Opcode ID: e65795184c62400c623efca0e37f93a51f85fddea97729e5bc7b53f44e557bc2
                                                                                                                                                • Instruction ID: cc7ceb2de270bec1f6ba81ac3ed7193d38305a38194aa68fb9a335582440daef
                                                                                                                                                • Opcode Fuzzy Hash: e65795184c62400c623efca0e37f93a51f85fddea97729e5bc7b53f44e557bc2
                                                                                                                                                • Instruction Fuzzy Hash: D221BF307002058FEB09BB78E5A467E36E7ABC9214724487DD10BDB389EE39DD468796
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E98A98 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: \q[
                                                                                                                                                • API String ID: 0-3824160922
                                                                                                                                                • Opcode ID: 7df37c80a49fa458baa5980626a6cbde0dc17c4196c53ce831c93e945775c362
                                                                                                                                                • Instruction ID: 0505d7324b31586f5d66e44304af59466eb755da9d9e1bf4982a5e45c2e15cb6
                                                                                                                                                • Opcode Fuzzy Hash: 7df37c80a49fa458baa5980626a6cbde0dc17c4196c53ce831c93e945775c362
                                                                                                                                                • Instruction Fuzzy Hash: F83114B5D05218DFDF14CFA9D894BDEBBF6AF49310F24802AE449A7250D734A842CB94
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E98795 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: \q[
                                                                                                                                                • API String ID: 0-3824160922
                                                                                                                                                • Opcode ID: 85e30d5df7d54d398ddc47bbbd6b28006b5a21a2121a5edbf4f8068e84702131
                                                                                                                                                • Instruction ID: d74caaf8df3fb08f666b9dececda9a8ae870dc903b4ffaaa6ebc75857ee12f06
                                                                                                                                                • Opcode Fuzzy Hash: 85e30d5df7d54d398ddc47bbbd6b28006b5a21a2121a5edbf4f8068e84702131
                                                                                                                                                • Instruction Fuzzy Hash: 963111B1D01248DFDF18DFAAD544ADEBBF6AF48304F14802AD459BB250DB349945CF50
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E98A8C Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: \q[
                                                                                                                                                • API String ID: 0-3824160922
                                                                                                                                                • Opcode ID: 0803aa1309fa362eb1cb3200d61ff3e48e0721de5c56c964b963606e8cdbe161
                                                                                                                                                • Instruction ID: 5a08e4c7c926d711cee83f2dc9f6753c6bf1e9a384b93b7ef748873ec9b4b1dc
                                                                                                                                                • Opcode Fuzzy Hash: 0803aa1309fa362eb1cb3200d61ff3e48e0721de5c56c964b963606e8cdbe161
                                                                                                                                                • Instruction Fuzzy Hash: 432125B5D04248DFDF18CFA9C894BDEBBF6AF09310F18802AE449E7250DB349846CB94
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9B358 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'^q
                                                                                                                                                • API String ID: 0-1614139903
                                                                                                                                                • Opcode ID: 0e204be9fc3900b3f10b145e4d006e56b4b7b5c6f618135d3e4f1975d317eb08
                                                                                                                                                • Instruction ID: afb6226121fca1c4173ca8d4399cc1ccfaec7fdd2b51e227658820c528713e7f
                                                                                                                                                • Opcode Fuzzy Hash: 0e204be9fc3900b3f10b145e4d006e56b4b7b5c6f618135d3e4f1975d317eb08
                                                                                                                                                • Instruction Fuzzy Hash: E101D430906249AFCF04FF78E99549CBFB1FF45200B1015A9E405D7255EF301E49CB62
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E93EC8 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'^q
                                                                                                                                                • API String ID: 0-1614139903
                                                                                                                                                • Opcode ID: a371523676f270da31225bccd78d1cf7693b57e93f5cb1d0feeee55664d196ec
                                                                                                                                                • Instruction ID: 0c175b419f38de69681f3349a0c4737f4241797a020b073be53ee8a2286fd19f
                                                                                                                                                • Opcode Fuzzy Hash: a371523676f270da31225bccd78d1cf7693b57e93f5cb1d0feeee55664d196ec
                                                                                                                                                • Instruction Fuzzy Hash: A1F090313406015FC209FB2DE450A6E77E7EBC96503108929D05ADB359EF20FD4B87A1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9B368 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'^q
                                                                                                                                                • API String ID: 0-1614139903
                                                                                                                                                • Opcode ID: dd498f16c60e5a988ededa64527c3d6c7ddcf5498681fcdfe83c673903b9f837
                                                                                                                                                • Instruction ID: 05d185ba3cd7c9d5411719bdd3a9044e8dc14e673214990953f7ac7a5e0c5349
                                                                                                                                                • Opcode Fuzzy Hash: dd498f16c60e5a988ededa64527c3d6c7ddcf5498681fcdfe83c673903b9f837
                                                                                                                                                • Instruction Fuzzy Hash: 71F03C30A01209EFCF04FFB8E55955CBBB2FB44200B1065A9D40AD7358EF305A598B51
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E800D8 Relevance: .7, Instructions: 676COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817825617.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e80000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 9d6f2fbf06a759645bc880f401bab127e274cc0872bb6d030f6d30ec176e7685
                                                                                                                                                • Instruction ID: 8feb6798fe83e9535d2c408dc3952411a918d842bde79fff3bcfe4985b720b9b
                                                                                                                                                • Opcode Fuzzy Hash: 9d6f2fbf06a759645bc880f401bab127e274cc0872bb6d030f6d30ec176e7685
                                                                                                                                                • Instruction Fuzzy Hash: 21426D30740A288FCB24AF69D454A2EB7E2FBC5704B105A5CD5079B3A5CF79ED058B86
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E80598 Relevance: .5, Instructions: 462COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817825617.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e80000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: ee7837f6e3069aef01e20552aedd30197294e4d15c1fada011cbd47d4ed6a0f9
                                                                                                                                                • Instruction ID: bc28fb6ab3d3dc30791489e15e34e3e32fc8a148a5589a7abf735d0e6dfe03d3
                                                                                                                                                • Opcode Fuzzy Hash: ee7837f6e3069aef01e20552aedd30197294e4d15c1fada011cbd47d4ed6a0f9
                                                                                                                                                • Instruction Fuzzy Hash: 90029E307406148FDB14AF68C868A3E77E2FF85704F105958DA079B3A6CF79ED498B92
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E80610 Relevance: .4, Instructions: 448COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817825617.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e80000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: b7c5c933156c282f2e08d861840b6fc18f0060e1531f39adf165df406748e1f8
                                                                                                                                                • Instruction ID: dd0d14e059944b70d0c6e2ad0cffe42a7bd1465e852021065cf1c378d9b2c86b
                                                                                                                                                • Opcode Fuzzy Hash: b7c5c933156c282f2e08d861840b6fc18f0060e1531f39adf165df406748e1f8
                                                                                                                                                • Instruction Fuzzy Hash: F4029E307406148FDB14AFA4C858A3E77E2FF89704F105958DA4B9B3A5CF75ED498B81
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E83B22 Relevance: .4, Instructions: 407COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817825617.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e80000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 408a160a696d7dc05c14582303fd3e85e923c7f6afb6453fe404a9955dfea195
                                                                                                                                                • Instruction ID: 2db241284775177a45d276e921e769942e1d237622c0412f8a11a54f8072e007
                                                                                                                                                • Opcode Fuzzy Hash: 408a160a696d7dc05c14582303fd3e85e923c7f6afb6453fe404a9955dfea195
                                                                                                                                                • Instruction Fuzzy Hash: DFF13734B402149FDB44DF68C994EA9BBF6FF89704F118099E50ADB3A2DA71ED41CB50
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E80688 Relevance: .4, Instructions: 389COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817825617.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e80000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c0850606adec67f22cf5f8e8ce6e2a3642b098b4eb6bcf4d2c5e1e8db63ddd87
                                                                                                                                                • Instruction ID: 04e581588075a77b39e17c443a24dd3d082f6d9b96adc4f124762da3b4713f86
                                                                                                                                                • Opcode Fuzzy Hash: c0850606adec67f22cf5f8e8ce6e2a3642b098b4eb6bcf4d2c5e1e8db63ddd87
                                                                                                                                                • Instruction Fuzzy Hash: C4E1B0307406148FEB14AFA4C858A3E77E6FF89704F109559DA0A8B3A1CF75ED49CB91
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E80700 Relevance: .4, Instructions: 354COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817825617.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e80000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 497302b214fa92cda7eb52f15edff108bcf0939236e3a038a369aca35f6a30c1
                                                                                                                                                • Instruction ID: b404fff683a090d1938f8dd7c90e6807fef9579d22db54d3b964e7bcd376b6c7
                                                                                                                                                • Opcode Fuzzy Hash: 497302b214fa92cda7eb52f15edff108bcf0939236e3a038a369aca35f6a30c1
                                                                                                                                                • Instruction Fuzzy Hash: 18D181307403148FEB04ABA4C958B7A77E7FF89704F109555DA0A8B3A2CB75ED49CB91
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E800B9 Relevance: .3, Instructions: 336COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817825617.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e80000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 41df806509c51e5aebb8cb240badb835ee97733381dbd997e696ae28382a02ec
                                                                                                                                                • Instruction ID: 4589084d9c1cbbdf538db53d630ec0decfb33674818f05f390185805e3498623
                                                                                                                                                • Opcode Fuzzy Hash: 41df806509c51e5aebb8cb240badb835ee97733381dbd997e696ae28382a02ec
                                                                                                                                                • Instruction Fuzzy Hash: 4EC1B0307402048FEB44AFA4C859B7A77E7FF89704F109565EA0A8B3A2CB75DD49CB91
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E94AFF Relevance: .3, Instructions: 294COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 68b42c471654dbc90cefbe2a22fae6a5608bc9a6373767612f42fede517bae53
                                                                                                                                                • Instruction ID: c5556fb6f18518fba22c9746007df34445fa13114dd70209e7259f400c88e532
                                                                                                                                                • Opcode Fuzzy Hash: 68b42c471654dbc90cefbe2a22fae6a5608bc9a6373767612f42fede517bae53
                                                                                                                                                • Instruction Fuzzy Hash: 77C16A74700205CFDB15DF69C484AAABBF2FF88305B1585A9E546DB3A6DB30EC46CB60
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E959C8 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 8ce4701d065c063b365923afa7217d34ce63c3aae782b3b5cceb100f600618be
                                                                                                                                                • Instruction ID: cbda56b5491b00cb44cc1cbe4f7fe76a55fef40a6b218b7e80deff659dcae155
                                                                                                                                                • Opcode Fuzzy Hash: 8ce4701d065c063b365923afa7217d34ce63c3aae782b3b5cceb100f600618be
                                                                                                                                                • Instruction Fuzzy Hash: 7F514935A00605CFDB15CF58C480DAABBF2FF89314B15C9AAE599AB361D730F805CB90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E95579 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 483ef18b95a939d45e425c34223afa8b7e087da2100f9e454dba43fe2581fd8f
                                                                                                                                                • Instruction ID: 219cfac8b099dc42562391b8a35920b8d2594a99cf1ead7a872919e65d77a9b9
                                                                                                                                                • Opcode Fuzzy Hash: 483ef18b95a939d45e425c34223afa8b7e087da2100f9e454dba43fe2581fd8f
                                                                                                                                                • Instruction Fuzzy Hash: 4B315075701210AFDB15DF38D484A6EBBB2FF89301B11846AE905CB365DB35ED45CBA0
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9F920 Relevance: .1, Instructions: 99COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d0a27961a94223e69b98584310c0db871e71e59fff474965c928ef1af0336ebb
                                                                                                                                                • Instruction ID: 2e69b4f7d6a89631c0b8807b75565417683362d236497008f36fd7cca66440b8
                                                                                                                                                • Opcode Fuzzy Hash: d0a27961a94223e69b98584310c0db871e71e59fff474965c928ef1af0336ebb
                                                                                                                                                • Instruction Fuzzy Hash: 763109347092546FCB0E6F78E82847A7FBBFB8A21531019ABE505CB399DE758C05C761
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E95588 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 278b5c02a7d82cb33461825e4f0fc718487cf0eff0011f5e5f3ebd806b90a063
                                                                                                                                                • Instruction ID: 4f105a388aa3d8c49cf4cca761aa5e6acf80dc4da66abf8ae13c9ef69a7e1fa5
                                                                                                                                                • Opcode Fuzzy Hash: 278b5c02a7d82cb33461825e4f0fc718487cf0eff0011f5e5f3ebd806b90a063
                                                                                                                                                • Instruction Fuzzy Hash: 5C315E35701210AFDB15DF38D88496EBBB2FF89301B50846AE906CB369DB35ED45CBA0
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E8360B Relevance: .1, Instructions: 78COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817825617.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e80000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 4bf4f9b370b02c9d3166f5d860f6266a52b2ad10b1d09c6007ac20d85d7ad080
                                                                                                                                                • Instruction ID: 2f50911d756dec57a8c4135e93007c5e36ccb14374feda490fc70e357b793b67
                                                                                                                                                • Opcode Fuzzy Hash: 4bf4f9b370b02c9d3166f5d860f6266a52b2ad10b1d09c6007ac20d85d7ad080
                                                                                                                                                • Instruction Fuzzy Hash: 21215C35B400049FDB54DF69C994EAABBB2FF88714F1184A9E9099F3A5DB31EC05CB10
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0088D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1795585336.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_88d000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: cd2bb06ee9967ac8a0b7c94aa3366e5c6b335412a332a88401a0183d779711f8
                                                                                                                                                • Instruction ID: 036531f1ed37dd3048036faf603ad617cb93de376fb9d89b3430e42164a728ad
                                                                                                                                                • Opcode Fuzzy Hash: cd2bb06ee9967ac8a0b7c94aa3366e5c6b335412a332a88401a0183d779711f8
                                                                                                                                                • Instruction Fuzzy Hash: 08212571500304DFDB05EF14D9C0B26BF65FB98324F20C169E9098B296C33AE856CBA2
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0089D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1795607989.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_89d000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: b0a91756c5f502227f761c90969d4e1e43ac3327f49465d10f080f11a6099e16
                                                                                                                                                • Instruction ID: 93aea4cda8b1a3e71fe5a87ee72cf9a464c2213b707d93f049ff97bd9714c8af
                                                                                                                                                • Opcode Fuzzy Hash: b0a91756c5f502227f761c90969d4e1e43ac3327f49465d10f080f11a6099e16
                                                                                                                                                • Instruction Fuzzy Hash: CF21F271604704DFDF14EF24D984B26BBA5FB84318F28C569E84A8B296C33AD847CA65
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E96E72 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 8279e4871886d50625ea9bcee4f00a3d6115f7759b2df2ca7dfc24f75f8536f3
                                                                                                                                                • Instruction ID: e4a2bc12705d11cb7d4c1b593e390ce575a49e4df1004c01cc12a7e67d5dfbe9
                                                                                                                                                • Opcode Fuzzy Hash: 8279e4871886d50625ea9bcee4f00a3d6115f7759b2df2ca7dfc24f75f8536f3
                                                                                                                                                • Instruction Fuzzy Hash: BB113BB36081D42FDF164BA9AC508BE7FD9EB8E214B0800ABFAD4C7143C414CD12C7A1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9BC5F Relevance: .1, Instructions: 60COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 96ff440dcdab9cfa5d2ff6eb1e2cc4f905e8244aca61fb791384aa07751920e4
                                                                                                                                                • Instruction ID: aa8880c144d267f054859f5fce83970833d411daa16b33af2d255bd20fafe007
                                                                                                                                                • Opcode Fuzzy Hash: 96ff440dcdab9cfa5d2ff6eb1e2cc4f905e8244aca61fb791384aa07751920e4
                                                                                                                                                • Instruction Fuzzy Hash: C511E5302016005FC795B738E8199BF7BA7EEC1A423041829E107CBA55DE34BE4B97A2
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E98C58 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 8dee55010852d55eecd9e333275648b7641b9bffb5ac9de57814f5f36258ebbd
                                                                                                                                                • Instruction ID: d441a8826b3459d8dc4da7a625e98cb9a903c311755ec5c12787e4b948b3667d
                                                                                                                                                • Opcode Fuzzy Hash: 8dee55010852d55eecd9e333275648b7641b9bffb5ac9de57814f5f36258ebbd
                                                                                                                                                • Instruction Fuzzy Hash: F321A274E052189BCF08DFA9E844ADDBBB6BF89311F14A52AE805B3360EB741945CB54
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0088D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1795585336.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_88d000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                • Instruction ID: d0b816e01707fed247bf564942dcf3145ea5915b3d3eaa972b8a6197347efe1a
                                                                                                                                                • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                • Instruction Fuzzy Hash: 6E11DF72404340DFCB12DF00D5C4B16BF71FB94324F24C2A9D8094B256C33AE85ACBA1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0089D017 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1795607989.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_89d000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                • Instruction ID: f407b0327cb4d26f446dc993e0bdc87882f071f5a5855a1dbc90b6cbdaa30e8d
                                                                                                                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                • Instruction Fuzzy Hash: C511BB75504780CFDB11DF14D5C4B16BBA2FB84314F28C6AAD8098B656C33AD80ACBA2
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9C499 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c86ed0e514b2f06367200b60f244df0a2004718ec31b62417130646b8e815c04
                                                                                                                                                • Instruction ID: b983e1421621c151e24ff0f54ce791913b8483b51bb32c6d6ecbd6986529ecde
                                                                                                                                                • Opcode Fuzzy Hash: c86ed0e514b2f06367200b60f244df0a2004718ec31b62417130646b8e815c04
                                                                                                                                                • Instruction Fuzzy Hash: 9501A1302046048FE315AB68E45966E7BA3EFC5311B108A3AD14787795DF74AD0ACB92
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E98350 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 990a516fc22f2c0a80d12e6dfbd120425bad3bcd0ec0b0670d7f4badf3358e2a
                                                                                                                                                • Instruction ID: 636f13c819df05c0a90c9613ce6608bbd8957863c3574e64b2dd8ba3e6c74b60
                                                                                                                                                • Opcode Fuzzy Hash: 990a516fc22f2c0a80d12e6dfbd120425bad3bcd0ec0b0670d7f4badf3358e2a
                                                                                                                                                • Instruction Fuzzy Hash: EC017C31B001199BDF14EAA9AC44ABFB7AAFB84651B14803AE615D3340EB319D1587A1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9BC70 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 4d7f29eeb67e099330e8ee51c67fb4a12d31be5425f5701a0953f55a83dc9880
                                                                                                                                                • Instruction ID: 92ae479c226cf59ef09d1c1c2f6c472028da69a3d129b0e6beecacb210c6273d
                                                                                                                                                • Opcode Fuzzy Hash: 4d7f29eeb67e099330e8ee51c67fb4a12d31be5425f5701a0953f55a83dc9880
                                                                                                                                                • Instruction Fuzzy Hash: 1D01F1302001004F8784B738E41846F7AA3FEC0A423046829E107CB714CE30BE8B87A2
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0088DB09 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1795585336.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_88d000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c3b8818084185523f0d569480bdf0754741b1a7199d5a52e8093a123f102dd59
                                                                                                                                                • Instruction ID: 36c542fcb2ed6f3062b82262e64c38a38156e9e8eb22ffd7a7266b278447215e
                                                                                                                                                • Opcode Fuzzy Hash: c3b8818084185523f0d569480bdf0754741b1a7199d5a52e8093a123f102dd59
                                                                                                                                                • Instruction Fuzzy Hash: 2801F7710083049AEB10AE19DD84767BF98FF41334F18C52AEC088B2C6C679D880C771
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9E8B0 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 032b38b2e8d715c10c4e5682b2d376435862d1755be7768ed4f076bd9b49fd06
                                                                                                                                                • Instruction ID: f679411f380eb5d4716737a523c41fd533b499292d6103b2088e7637149a409d
                                                                                                                                                • Opcode Fuzzy Hash: 032b38b2e8d715c10c4e5682b2d376435862d1755be7768ed4f076bd9b49fd06
                                                                                                                                                • Instruction Fuzzy Hash: AE01F4343083489FCB06EF78D8148AA3FBAEF8630071484E9E545CB362DA32DD11C791
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E95508 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 6a1c286f11c90b3364c7f8c6ffcac416df724034e3515908b00853636076e8dd
                                                                                                                                                • Instruction ID: f673f52579c2aa6bedc8960fa470b8605561251a2a73d86a64fff658b5b0d25e
                                                                                                                                                • Opcode Fuzzy Hash: 6a1c286f11c90b3364c7f8c6ffcac416df724034e3515908b00853636076e8dd
                                                                                                                                                • Instruction Fuzzy Hash: 2301AD30601302CFDB2E9A79E540577B3E3FF84209B14A82ED4C38261AEA75E880CB90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9C4A8 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d5d1601032036948373ef06706c09905f3bbb57cda1c83c08311e13c59739e9d
                                                                                                                                                • Instruction ID: 2f3fa5a79cea5543074bf62b3be5e5edc900d4b2518bc3b336d2129e2f96670a
                                                                                                                                                • Opcode Fuzzy Hash: d5d1601032036948373ef06706c09905f3bbb57cda1c83c08311e13c59739e9d
                                                                                                                                                • Instruction Fuzzy Hash: BA015E312046048FE324AF69E45865E7BE3FFC9715B108A39D14B87789DF74AD0A8B92
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9C170 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c910a1268a322d870524704580bf52772bb0717a075b750bc0dad62cd625c6a3
                                                                                                                                                • Instruction ID: 1e1646a24ac89c22519b1af8fbbaf0a546d7a3b92efd5ca520bcdee1457e2bfa
                                                                                                                                                • Opcode Fuzzy Hash: c910a1268a322d870524704580bf52772bb0717a075b750bc0dad62cd625c6a3
                                                                                                                                                • Instruction Fuzzy Hash: 8601D630501B019FD7159F21E819462BBFAFB49300710861AE48683655DF70AA49CFD4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9ADE9 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c9ae16d3f793ae2c1337420fc97a26e5d49a377c473895ea9a2aa9423d12e62e
                                                                                                                                                • Instruction ID: 0c43d39671f0d0ac36af3f77b4cb75c231c718136f8ccc08596ebc2b94be444b
                                                                                                                                                • Opcode Fuzzy Hash: c9ae16d3f793ae2c1337420fc97a26e5d49a377c473895ea9a2aa9423d12e62e
                                                                                                                                                • Instruction Fuzzy Hash: BAF0E9312052506FD3517769E855A9B7FDAEB8A714B00007DF10AC7243CA75584A83B2
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E98F42 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: e96c4dbd1dcdb36b348e2dc0618e56571133006585622e9ca59843ea408ffb4a
                                                                                                                                                • Instruction ID: 90849e8e8c06f8e4d929c86aee87ea8ff4da3b18462d240b1fd81e463719ddee
                                                                                                                                                • Opcode Fuzzy Hash: e96c4dbd1dcdb36b348e2dc0618e56571133006585622e9ca59843ea408ffb4a
                                                                                                                                                • Instruction Fuzzy Hash: BB01E2B0C0826AAFCF04DFA4D9456EDBFB1BB09305F24A5AAE955A3251E7740A41CB90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E98F50 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 16c53dd95ec4a81438510e28f0173c0971701ee451f6f4cdad8786d9f705f74d
                                                                                                                                                • Instruction ID: f2d1458ce5e2e18d17034ce1d69a466ed3d9f07c36758f2892cbaa1a8c5d2118
                                                                                                                                                • Opcode Fuzzy Hash: 16c53dd95ec4a81438510e28f0173c0971701ee451f6f4cdad8786d9f705f74d
                                                                                                                                                • Instruction Fuzzy Hash: 770104B4D0821EEFCB04DFA8D9446AEBBF1BB49304F10A5AA9455A3351E7340A40CF90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0088DB08 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1795585336.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_88d000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 5a7c2f064bbb721f659d1fabf9eb1deabbfdacea0748586ac5062242aae0af12
                                                                                                                                                • Instruction ID: 6d7c86b66edc6ac8b42981d158902801198a5beebb130255b44c77bf0cb5328a
                                                                                                                                                • Opcode Fuzzy Hash: 5a7c2f064bbb721f659d1fabf9eb1deabbfdacea0748586ac5062242aae0af12
                                                                                                                                                • Instruction Fuzzy Hash: 81F062714043449AEB109E16DC84B66FFA8EF51774F18C55AED084F2D6C279A844CBB1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9ACB8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 4762bdfce1aa6327a9edfc2178b2bfec731f6c26c65e4ba59f290d192a835764
                                                                                                                                                • Instruction ID: a357cdb141b95f9cadb8edcf0c29e63a1135e7681bd0cf75dd27648dd7fbfc4c
                                                                                                                                                • Opcode Fuzzy Hash: 4762bdfce1aa6327a9edfc2178b2bfec731f6c26c65e4ba59f290d192a835764
                                                                                                                                                • Instruction Fuzzy Hash: 0FF0E9723092605FC71A17386C144BE7F66DAC665134810ABE182CF256DA64894B83E2
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E954F8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: a046df84ec88bcb656bbb7127a39ccd80bc07138feeccd4301b176a3cd73ac07
                                                                                                                                                • Instruction ID: 46af5447af7642e2cf7db9869a72eec4d23d5b3fef90748dcc7730401464220d
                                                                                                                                                • Opcode Fuzzy Hash: a046df84ec88bcb656bbb7127a39ccd80bc07138feeccd4301b176a3cd73ac07
                                                                                                                                                • Instruction Fuzzy Hash: 78F0B471505701CFDF2ACA61D5409A7B7B3FF81218B04987ED4C247917E675E986CB50
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9C110 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 850305727d1ec46ad43f46a8b390eb462b1004906688300faa2c7711fa0ec3cb
                                                                                                                                                • Instruction ID: 38ebe49f78602cefdf28c09c932966ee5c16eadcfb1d95af51b96dff4a3add2a
                                                                                                                                                • Opcode Fuzzy Hash: 850305727d1ec46ad43f46a8b390eb462b1004906688300faa2c7711fa0ec3cb
                                                                                                                                                • Instruction Fuzzy Hash: 52F0BB302057D05FC3129738E91869B7FE6DF82344B04056AE146CB252CA656D09C7E5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E96EA0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: f646ab28dbe4d3b6e4118a2074357f56de967812ecded5ff3d081476a95adbef
                                                                                                                                                • Instruction ID: effd3f62c21afa5189e5aa5820cbea7cd19e573201ae02a8ae08dd183f367c48
                                                                                                                                                • Opcode Fuzzy Hash: f646ab28dbe4d3b6e4118a2074357f56de967812ecded5ff3d081476a95adbef
                                                                                                                                                • Instruction Fuzzy Hash: 34F012722041E83F8B555E9A5C50CFB7FEDDA8E56170841A6FE98D2141C42DC921ABB0
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E967C8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: b7c1b7099e89f37c0b7522e7bb93f6ed1c0a519ffa8330fd3f5b07ea3a6f8b35
                                                                                                                                                • Instruction ID: dfcc724f306db16a2c1e013ca76f581898146f4a8ef024fb7718416aa55ea2a6
                                                                                                                                                • Opcode Fuzzy Hash: b7c1b7099e89f37c0b7522e7bb93f6ed1c0a519ffa8330fd3f5b07ea3a6f8b35
                                                                                                                                                • Instruction Fuzzy Hash: 95F09071740300AFDB209A68A844F957BE5AB85718F1582A7E254CF2E2E7B1D8458784
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E98FC0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 17f7c27eb9ef068a6f1727421087c43f0d7c298e19aae87ea47dbf2fac136981
                                                                                                                                                • Instruction ID: 5f972e640d3a23f616da0b70520a7412e1c1c87c056bd44b7fa7a86e536ee83e
                                                                                                                                                • Opcode Fuzzy Hash: 17f7c27eb9ef068a6f1727421087c43f0d7c298e19aae87ea47dbf2fac136981
                                                                                                                                                • Instruction Fuzzy Hash: 3EF0AFB0C0C2699FCB04CFA0C4451ADBFB1EB16201F0461DAE486E7362E3348A41CB00
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E98340 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c485b60b723f6f4a4c45506d6183d53ce60f90e10daf56b45104a9bf67c8235c
                                                                                                                                                • Instruction ID: 1d3ba8d56ba3259d7ac7a979815e3f0e8ce32f709fe3dc2400c791a106e80a65
                                                                                                                                                • Opcode Fuzzy Hash: c485b60b723f6f4a4c45506d6183d53ce60f90e10daf56b45104a9bf67c8235c
                                                                                                                                                • Instruction Fuzzy Hash: AFF0E272B081695BCF20DA79A844AFFBBB9EBD5110F08003AD684C3200E7308801C752
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9AC60 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 09660bc2f45decd2de667bdcd8436611da55952aa608664d70e7840356b9e62e
                                                                                                                                                • Instruction ID: 53f86f72f0c3dffbe4ee9024bcdc6e4a1f27c7613adf1e757f874b084c353828
                                                                                                                                                • Opcode Fuzzy Hash: 09660bc2f45decd2de667bdcd8436611da55952aa608664d70e7840356b9e62e
                                                                                                                                                • Instruction Fuzzy Hash: 5BF0A7322496F41FD3176738AC244EE3F66DBC7611309109BD586CB293CE64494AC7EA
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9ADF8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d0eb2ef235ad92d0d9659e52a726d558c29690962cd2c50db0a3d9fa2feedfa5
                                                                                                                                                • Instruction ID: b38b4d06b0501388848f5645a862f8509c6b858dc9d591ade60bafd8af2c777c
                                                                                                                                                • Opcode Fuzzy Hash: d0eb2ef235ad92d0d9659e52a726d558c29690962cd2c50db0a3d9fa2feedfa5
                                                                                                                                                • Instruction Fuzzy Hash: 94E09231300210AFD3647A9AE448A9FBADAEBCA751B00413DF60EC3242CA75584947A6
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9C180 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d40ea5a0cc977d8f1bf017e06bc65c54e44dcae8e74eacbf7fc68b6e1260cc54
                                                                                                                                                • Instruction ID: 7c35b02ebf414146e4b77bb48ba5c9a6b2e58cb487ab349e1028b8af39416b89
                                                                                                                                                • Opcode Fuzzy Hash: d40ea5a0cc977d8f1bf017e06bc65c54e44dcae8e74eacbf7fc68b6e1260cc54
                                                                                                                                                • Instruction Fuzzy Hash: 81F09A34501B028FD725EF26E408522BBFAFB88300710D62EE88B83A14DB70A609CF84
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9CC38 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 56d9a7ca23464bf6956cedc1359dd01add534e96442bd9ab34b54a09f5325155
                                                                                                                                                • Instruction ID: 7922c48b965db93336a982378956ec4a06d6d7d02906cc4633090de751946a64
                                                                                                                                                • Opcode Fuzzy Hash: 56d9a7ca23464bf6956cedc1359dd01add534e96442bd9ab34b54a09f5325155
                                                                                                                                                • Instruction Fuzzy Hash: 4BE0D831106650EFC722BB18F8109EA3F91D749630B007356E004CF64ECEB01D4687E1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9B500 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: f7d31e8741d7768ba7ba7ac5562fb5b74cc916381ff730ed486029429b734fbb
                                                                                                                                                • Instruction ID: 802f1e3a58f7a236627406df7fe39a9b1408224f916af670777e8d8747aead77
                                                                                                                                                • Opcode Fuzzy Hash: f7d31e8741d7768ba7ba7ac5562fb5b74cc916381ff730ed486029429b734fbb
                                                                                                                                                • Instruction Fuzzy Hash: 18F0C975D0120CBFCB41DFB4D9598DEBFB9EB48204F1042A6E909E3244EA305B55DBA1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9C120 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 2f2f6ccf7775cd2d74ec76f384392741c0751034b33b2c2a5be8e109db5fdc9a
                                                                                                                                                • Instruction ID: 05e854788f28aba249889568de854e2b3b2d748ce8b548d95686e104f39b6f3d
                                                                                                                                                • Opcode Fuzzy Hash: 2f2f6ccf7775cd2d74ec76f384392741c0751034b33b2c2a5be8e109db5fdc9a
                                                                                                                                                • Instruction Fuzzy Hash: FEE065312007908FC711E76DE51879F7FE6EF85314F04052EE246C7755CBB5A8098791
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9CE88 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: e80321eb74c973cb40f278c40bb57c6167f4c93f428a02a972a9ca621ebf3ab6
                                                                                                                                                • Instruction ID: c7afc085ff79b77782db70a5ab353e7670f20c288350492d4abcae4cd35c011b
                                                                                                                                                • Opcode Fuzzy Hash: e80321eb74c973cb40f278c40bb57c6167f4c93f428a02a972a9ca621ebf3ab6
                                                                                                                                                • Instruction Fuzzy Hash: CFE0D870106780FFD712B720F4099E53B66DB45A247016395E8418F65EDAB45D4583A5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E95698 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 9173b4edd8a02d6e7738a13d851ffcd7971d5f3677892ac7532ba3574954f2c1
                                                                                                                                                • Instruction ID: 6948333db3ef620b91ec897bf43444dd2fbdd7d304db52c56d555abe3b5f4ebb
                                                                                                                                                • Opcode Fuzzy Hash: 9173b4edd8a02d6e7738a13d851ffcd7971d5f3677892ac7532ba3574954f2c1
                                                                                                                                                • Instruction Fuzzy Hash: C1E04FB210D3804FD3169624B8095CA3B94EB62361F518CBFE584CA0A6E639D842C699
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9F910 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 3c03f65bae49d26a62ccdfdf3d15eb59acd4abdbc47423babc044789b4920296
                                                                                                                                                • Instruction ID: d4ebf9d3398dc5fb069dc1d3355130e5ead4a1daf72a513ee24163ad7777a63b
                                                                                                                                                • Opcode Fuzzy Hash: 3c03f65bae49d26a62ccdfdf3d15eb59acd4abdbc47423babc044789b4920296
                                                                                                                                                • Instruction Fuzzy Hash: DBE02B243097205FDB0D26ACD8248FB7BABEB8B51035690ABE541CB14BEEB15C0A43E0
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9E8F8 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 7f8d7efddf539a67ac84a43dfdbf4a51e2c11fe23b4dd2a5e2a823bf35a93ca8
                                                                                                                                                • Instruction ID: 666ced05024cd03e5e2f993da47777bffc5922ee925273a860b759cd39266eb4
                                                                                                                                                • Opcode Fuzzy Hash: 7f8d7efddf539a67ac84a43dfdbf4a51e2c11fe23b4dd2a5e2a823bf35a93ca8
                                                                                                                                                • Instruction Fuzzy Hash: CCE01239215244AFD7029B54DC45CB63F79FF4A61034450C5F5418F5B3D621AD21DBB1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9E1FF Relevance: .0, Instructions: 22COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: cd8d9e1b43ac68c46d6f6e19aff9c96d2e6c0d291744e039b531afe5178c5c9d
                                                                                                                                                • Instruction ID: fca7e8a1ffc510faf918b799df01b53986232c64d4195b93f7e66d1ca0d39da3
                                                                                                                                                • Opcode Fuzzy Hash: cd8d9e1b43ac68c46d6f6e19aff9c96d2e6c0d291744e039b531afe5178c5c9d
                                                                                                                                                • Instruction Fuzzy Hash: D4E0DF71A45208FFCB42DF68E941ADE7BB1DB82200B2045EBE809EB251D6701F1597A2
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9E280 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 243c4e2f32006d146b366a75d2d7630aa11fb233aa461d36286a0ba99a6749ce
                                                                                                                                                • Instruction ID: 3ba18d0e0f11d62edfba056e10aff6d6d9a4505d3097c40ce70677e66e4545ec
                                                                                                                                                • Opcode Fuzzy Hash: 243c4e2f32006d146b366a75d2d7630aa11fb233aa461d36286a0ba99a6749ce
                                                                                                                                                • Instruction Fuzzy Hash: BEE06F30006A80EFCB01FB20FC119D03BA2F78EB24B013189E8004F3AEC7A00A4A87E1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9AC80 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 17bcf89d8d1cfd0a09d9a9611adf7ab5631d3988b9ccce52b574e0bc124afd47
                                                                                                                                                • Instruction ID: 910fa8bf7c8b63b5714747171a21697eb3c891041ef21de66ef14972dcdf22c4
                                                                                                                                                • Opcode Fuzzy Hash: 17bcf89d8d1cfd0a09d9a9611adf7ab5631d3988b9ccce52b574e0bc124afd47
                                                                                                                                                • Instruction Fuzzy Hash: 67D05E323106386BDB053769F5184AE7BABEBC9662304053EE60BCB342CF755D4A87D6
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9B510 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 192241b60de65916e88ef1e65b6ea593a37c744d46123f7d8c9b14465e741d26
                                                                                                                                                • Instruction ID: afaa3840154b2a63ba0fc8e4d4af8b59943fc2d83618439e93103a5aee71d3c4
                                                                                                                                                • Opcode Fuzzy Hash: 192241b60de65916e88ef1e65b6ea593a37c744d46123f7d8c9b14465e741d26
                                                                                                                                                • Instruction Fuzzy Hash: 40E09275D0020CEFCB40DFE4E9558DEBBB9EB48200F1092AAD909A3200EB306B55DF80
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9E210 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 7b9bbca9bc0426b283803994df26ffaa3955688a02a53879d543894bf1a78aff
                                                                                                                                                • Instruction ID: 00640ad0dbf5c8d2661b021f342e880a79df0df32840b980cd76c22a8406a1ef
                                                                                                                                                • Opcode Fuzzy Hash: 7b9bbca9bc0426b283803994df26ffaa3955688a02a53879d543894bf1a78aff
                                                                                                                                                • Instruction Fuzzy Hash: 30D05E71A0020CFFCB41EFADF90199DB7B9EB44214B1055AAD409E7304EB717F10AB91
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9F8EA Relevance: .0, Instructions: 15COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: bb0f76ff9aa8db4395de0bcfb056610d493d017b96f0861fdc9751041fd9a1c2
                                                                                                                                                • Instruction ID: 1153415a0a40bab79bf3ab22811267359305cf8b3e3646a8f9f967ae1ab70b91
                                                                                                                                                • Opcode Fuzzy Hash: bb0f76ff9aa8db4395de0bcfb056610d493d017b96f0861fdc9751041fd9a1c2
                                                                                                                                                • Instruction Fuzzy Hash: 15C012327001200B0298BA6CF0142AEB6E7E2C86A3385022FF60EC3388DEB09D424391
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9DFD1 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d9e81b09085d3431e7a1355d7221b287e342503fb47669d987da3b94f54c49ef
                                                                                                                                                • Instruction ID: 4b1fde63c5950fd2283f558c9ba01e30b99f79118a737d36a3eb906e74624fd9
                                                                                                                                                • Opcode Fuzzy Hash: d9e81b09085d3431e7a1355d7221b287e342503fb47669d987da3b94f54c49ef
                                                                                                                                                • Instruction Fuzzy Hash: E3C09B315CB7D47FEB470770CC1D8853E25EF5271471501C6A7458E063D5710405C7A1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E93728 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 616a0c64dac5c8196f9626f0530d362fb31ece3290a8b9bb7dd296bcac7db74f
                                                                                                                                                • Instruction ID: a663ca4ea1dcf838e0ce83d9bd8de0224973567c46d2f4482ac8fa4a93d9afe3
                                                                                                                                                • Opcode Fuzzy Hash: 616a0c64dac5c8196f9626f0530d362fb31ece3290a8b9bb7dd296bcac7db74f
                                                                                                                                                • Instruction Fuzzy Hash: 2FB012D3D04000939708100448818B7020382B5048F0705D04E5042302F510861240A1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Non-executed Functions

                                                                                                                                                Function 05E96FE8 Relevance: .8, Instructions: 784COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 106bd34cef5a4ed710f50922854e119122f78f559a9c6657e8fe9d212baebca1
                                                                                                                                                • Instruction ID: 89867e22452eb94e221058614fdf8cf1c65dab43b499cf7ec3e794af3a1b039b
                                                                                                                                                • Opcode Fuzzy Hash: 106bd34cef5a4ed710f50922854e119122f78f559a9c6657e8fe9d212baebca1
                                                                                                                                                • Instruction Fuzzy Hash: 47622DB06002009FE748EF19D55871ABAE6EF85308F64C85CD10D9F396DBBBD94B8B91
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E96FF8 Relevance: .8, Instructions: 780COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: cdd8211fb53d7e4ddb336d225ff19026d67a344bb3a434c04eb335ee72bc6733
                                                                                                                                                • Instruction ID: 8366c217c969bf548cbb9af546db996459c35b8569525081d6f5ca48c54dceb5
                                                                                                                                                • Opcode Fuzzy Hash: cdd8211fb53d7e4ddb336d225ff19026d67a344bb3a434c04eb335ee72bc6733
                                                                                                                                                • Instruction Fuzzy Hash: 91622DB06002009FE748EF19D55871ABAE6EF84308F64C85CD10D9F396DBBBD94B8B95
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0097DC74 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1795791508.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_970000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: ceae267d1d66d62d01c13e23e6f08ec78aebf6e553274fe0f3f7c86e02332796
                                                                                                                                                • Instruction ID: a256ffe85ad766f4a0c08fe9430bcfefc70da3f5b0bf112b1c3eff5dfa05cc97
                                                                                                                                                • Opcode Fuzzy Hash: ceae267d1d66d62d01c13e23e6f08ec78aebf6e553274fe0f3f7c86e02332796
                                                                                                                                                • Instruction Fuzzy Hash: 07A16B32A002198FCF05DFB4C8945DEB7B2FF85300B25857AE809BB266DB71E955CB90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 05E9ED10 Relevance: 7.9, Strings: 6, Instructions: 381COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1817844741.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_5e90000_CQPfRTSy7N.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: (_^q$(_^q$(_^q$(_^q$(_^q$(_^q
                                                                                                                                                • API String ID: 0-2896069617
                                                                                                                                                • Opcode ID: 2c44d4cb063f68bf0c75ead5ff9e2930bd49290bca507eb895b3ba59896fb726
                                                                                                                                                • Instruction ID: 9dc025e7906e82b008e99171389d4a3b6697eb3a7425c1f0b316724f751245e3
                                                                                                                                                • Opcode Fuzzy Hash: 2c44d4cb063f68bf0c75ead5ff9e2930bd49290bca507eb895b3ba59896fb726
                                                                                                                                                • Instruction Fuzzy Hash: 11D1C135B042449FDB09EF78C4146AE7BB6FFC5300B24856AE946DB382DA35DE06CB91
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%