Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
e5oMWYWLig.exe

Overview

General Information

Sample name:e5oMWYWLig.exe
renamed because original name is a hash value
Original sample name:1C14867A6F2CD134302561E60DD2EF2E.exe
Analysis ID:1435122
MD5:1c14867a6f2cd134302561e60dd2ef2e
SHA1:2127a62fcb303ed0d3c9d331cf065c67d7c0bb28
SHA256:177a882c7576a1deba30eebad7a241e989d0ee2e6f7662c2571e5c45ba8d1829
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Hides threads from debuggers
Installs new ROOT certificates
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • e5oMWYWLig.exe (PID: 5776 cmdline: "C:\Users\user\Desktop\e5oMWYWLig.exe" MD5: 1C14867A6F2CD134302561E60DD2EF2E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "65.108.19.51:37149", "Bot Id": "6tsfdwj", "Authorization Header": "0311800e98e8d6ceb71b8a0c26e4b8c2"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2166177161.00000000003A2000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: e5oMWYWLig.exe PID: 5776JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: e5oMWYWLig.exe PID: 5776JoeSecurity_RedLineYara detected RedLine StealerJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:05/02/24-06:56:53.815978
            SID:2043234
            Source Port:37149
            Destination Port:49705
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/02/24-06:56:53.631841
            SID:2046045
            Source Port:49705
            Destination Port:37149
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/02/24-06:57:10.322331
            SID:2043231
            Source Port:49705
            Destination Port:37149
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "65.108.19.51:37149", "Bot Id": "6tsfdwj", "Authorization Header": "0311800e98e8d6ceb71b8a0c26e4b8c2"}
            Multi AV Scanner detection for submitted file
            Source: e5oMWYWLig.exeReversingLabs: Detection: 50%
            Source: e5oMWYWLig.exeVirustotal: Detection: 47%Perma Link

            Compliance

            barindex
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeUnpacked PE file: 0.2.e5oMWYWLig.exe.3a0000.0.unpack
            Source: e5oMWYWLig.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.5:49705 -> 65.108.19.51:37149
            Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49705 -> 65.108.19.51:37149
            Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 65.108.19.51:37149 -> 192.168.2.5:49705
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 65.108.19.51:37149
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 65.108.19.51 ports 1,3,4,7,9,37149
            Source: global trafficTCP traffic: 192.168.2.5:49705 -> 65.108.19.51:37149
            Source: Joe Sandbox ViewASN Name: ALABANZA-BALTUS ALABANZA-BALTUS
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: unknownTCP traffic detected without corresponding DNS query: 65.108.19.51
            Source: e5oMWYWLig.exeString found in binary or memory: http://Certera.crl.sectigo.com/CerteraCodeSigningCA.crl0
            Source: e5oMWYWLig.exeString found in binary or memory: http://Certera.crt.sectigo.com/CerteraCodeSigningCA.crt0
            Source: e5oMWYWLig.exeString found in binary or memory: http://Certera.ocsp.sectigo.com0
            Source: e5oMWYWLig.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: e5oMWYWLig.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
            Source: e5oMWYWLig.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
            Source: e5oMWYWLig.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: e5oMWYWLig.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
            Source: e5oMWYWLig.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
            Source: e5oMWYWLig.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
            Source: e5oMWYWLig.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
            Source: e5oMWYWLig.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: e5oMWYWLig.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
            Source: e5oMWYWLig.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
            Source: e5oMWYWLig.exe, 00000000.00000002.2178278526.000000000428E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.ao
            Source: e5oMWYWLig.exeString found in binary or memory: http://ocsp.comodoca.com0
            Source: e5oMWYWLig.exeString found in binary or memory: http://ocsp.digicert.com0C
            Source: e5oMWYWLig.exeString found in binary or memory: http://ocsp.digicert.com0N
            Source: e5oMWYWLig.exeString found in binary or memory: http://ocsp.digicert.com0O
            Source: e5oMWYWLig.exeString found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
            Source: e5oMWYWLig.exeString found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
            Source: e5oMWYWLig.exeString found in binary or memory: http://pki-ocsp.symauth.com0
            Source: e5oMWYWLig.exe, 00000000.00000002.2178278526.000000000428E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9o
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.000000000598A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.000000000598A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.000000000598A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmp, e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.000000000598A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15V
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmp, e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmp, e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmp, e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmp, e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005EEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: e5oMWYWLig.exe, 00000000.00000002.2166177161.00000000003A2000.00000040.00000001.01000000.00000003.sdmp, e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005EEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005EEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005EEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005EEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005EEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005EEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: e5oMWYWLig.exeString found in binary or memory: https://sectigo.com/CPS0
            Source: e5oMWYWLig.exeString found in binary or memory: https://www.digicert.com/CPS0
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005EEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005EEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile created: C:\Users\user\AppData\Local\Temp\TmpF32B.tmpJump to dropped file
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile created: C:\Users\user\AppData\Local\Temp\TmpF33B.tmpJump to dropped file

            System Summary

            barindex
            PE file has nameless sections
            Source: e5oMWYWLig.exeStatic PE information: section name:
            Source: e5oMWYWLig.exeStatic PE information: section name:
            Source: e5oMWYWLig.exeStatic PE information: section name:
            Source: e5oMWYWLig.exeStatic PE information: section name:
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_014FDDD70_2_014FDDD7
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_04D6D9CC0_2_04D6D9CC
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_090E3F500_2_090E3F50
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_090EA3E80_2_090EA3E8
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_090E68600_2_090E6860
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_090E6FE80_2_090E6FE8
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_090E6FF80_2_090E6FF8
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_090EA3C80_2_090EA3C8
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: String function: 003DE148 appears 46 times
            Source: e5oMWYWLig.exe, 00000000.00000000.1957752338.00000000003D6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamepatcher.dll0 vs e5oMWYWLig.exe
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs e5oMWYWLig.exe
            Source: e5oMWYWLig.exeBinary or memory string: OriginalFilenamepatcher.dll0 vs e5oMWYWLig.exe
            Source: e5oMWYWLig.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: e5oMWYWLig.exeStatic PE information: Section: ZLIB complexity 0.9959435096153846
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/5@0/1
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeMutant created: NULL
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile created: C:\Users\user\AppData\Local\Temp\TmpF32B.tmpJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005D0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: e5oMWYWLig.exeReversingLabs: Detection: 50%
            Source: e5oMWYWLig.exeVirustotal: Detection: 47%
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile read: C:\Users\user\Desktop\e5oMWYWLig.exeJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: msvcp140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: esdsip.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
            Source: Google Chrome.lnk.0.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: e5oMWYWLig.exeStatic file information: File size 6182064 > 1048576
            Source: e5oMWYWLig.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x564800

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeUnpacked PE file: 0.2.e5oMWYWLig.exe.3a0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:R;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:R;Unknown_Section4:ER;.data:ER;
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeUnpacked PE file: 0.2.e5oMWYWLig.exe.3a0000.0.unpack
            Source: e5oMWYWLig.exeStatic PE information: 0xD784B6A9 [Sun Jul 30 12:35:53 2084 UTC]
            Source: initial sampleStatic PE information: section where entry point is pointing to: .data
            Source: e5oMWYWLig.exeStatic PE information: real checksum: 0x35474 should be: 0x5f1e16
            Source: e5oMWYWLig.exeStatic PE information: section name:
            Source: e5oMWYWLig.exeStatic PE information: section name:
            Source: e5oMWYWLig.exeStatic PE information: section name:
            Source: e5oMWYWLig.exeStatic PE information: section name:
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003E22FE push 003E232Ch; ret 0_2_003E2324
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003EA2DE push 003EA5A4h; ret 0_2_003EA59C
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003E2338 push 003E2364h; ret 0_2_003E235C
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003E2370 push 003E239Ch; ret 0_2_003E2394
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003E23A8 push 003E23D4h; ret 0_2_003E23CC
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003E240C push 003E2440h; ret 0_2_003E2438
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003E04F4 push 003E0545h; ret 0_2_003E053D
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003EA5A6 push 003EA617h; ret 0_2_003EA60F
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003F3670 push 003F36D0h; ret 0_2_003F36C8
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003F3726 push 003F3874h; ret 0_2_003F386C
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003F4724 push 003F4771h; ret 0_2_003F4769
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003EA75C push 003EA788h; ret 0_2_003EA780
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003E07AE push 003E07DCh; ret 0_2_003E07D4
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003F27EE push 003F286Dh; ret 0_2_003F2865
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003E086C push 003E0898h; ret 0_2_003E0890
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003F1840 push 003F18B6h; ret 0_2_003F18AE
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003F18B8 push 003F1960h; ret 0_2_003F1958
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003F1962 push 003F19B0h; ret 0_2_003F19A8
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003E195C push ecx; mov dword ptr [esp], eax0_2_003E195D
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003F3954 push ecx; mov dword ptr [esp], ecx0_2_003F3957
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003F2AD4 push 003F2B00h; ret 0_2_003F2AF8
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003E1BFE push 003E1C2Ch; ret 0_2_003E1C24
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003F3BC4 push ecx; mov dword ptr [esp], ecx0_2_003F3BC6
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003E1C38 push 003E1C64h; ret 0_2_003E1C5C
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_003E9C2C push ecx; mov dword ptr [esp], edx0_2_003E9C31
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_014FDDD7 push esi; mov dword ptr [esp], esi0_2_014FDE02
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_014FDDD7 push edi; mov dword ptr [esp], edx0_2_014FDF4A
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_014FDDD7 push edi; mov dword ptr [esp], edx0_2_014FDFD3
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_014FDDD7 push eax; mov dword ptr [esp], esi0_2_014FE01D
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_014FDDD7 push ecx; mov dword ptr [esp], ebx0_2_014FE0A5
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: 0_2_014FDDD7 push ebx; mov dword ptr [esp], ecx0_2_014FE101
            Source: e5oMWYWLig.exeStatic PE information: section name: entropy: 7.994253282361942

            Persistence and Installation Behavior

            barindex
            Installs new ROOT certificates
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeMemory allocated: 4D20000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeMemory allocated: 5880000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeMemory allocated: 5540000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeWindow / User API: threadDelayed 358Jump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeWindow / User API: threadDelayed 1643Jump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exe TID: 1848Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exe TID: 4616Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 11 Essential Server Solutions without Hyper-V
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: #Windows 10 Microsoft Hyper-V Server
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 8.1 Microsoft Hyper-V Server
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2012 Server Standard without Hyper-V
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 8 Microsoft Hyper-V Server
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 11 Microsoft Hyper-V Server
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2012 R2 Server Standard without Hyper-V
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: vmware
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 8 Server Standard without Hyper-V
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: "Windows 8 Microsoft Hyper-V Server
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 10 Server Standard without Hyper-V
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 11 Server Standard without Hyper-V (core)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Hyper-V (guest)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: e5oMWYWLig.exe, 00000000.00000002.2175962921.000000000260E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 10 Microsoft Hyper-V Server
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.000000000050A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ~VirtualMachineTypes
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.000000000050A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ]DLL_Loader_VirtualMachine
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2016 Microsoft Hyper-V Server
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.000000000050A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 11 Server Standard without Hyper-V
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: )Windows 8 Server Standard without Hyper-V
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Hyper-V
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: %Windows 2012 Microsoft Hyper-V Server
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: $Windows 8.1 Microsoft Hyper-V Server
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ,Windows 2012 Server Standard without Hyper-V
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2012 Microsoft Hyper-V Server
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 10 Essential Server Solutions without Hyper-V
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 8 Essential Server Solutions without Hyper-V
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 10 Server Standard without Hyper-V (core)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: %Windows 2016 Microsoft Hyper-V Server
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: +Windows 8.1 Server Standard without Hyper-V
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2016 Server Standard without Hyper-V
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2016 Server Standard without Hyper-V (core)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 8 Server Standard without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: xVBoxService.exe
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: *Windows 11 Server Standard without Hyper-V
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ,Windows 2016 Server Standard without Hyper-V
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2012 Server Standard without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2191894528.0000000006CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VBoxService.exe
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 8.1 Server Standard without Hyper-V
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: *Windows 10 Server Standard without Hyper-V
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMWare
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: e5oMWYWLig.exe, e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
            Source: e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005B56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
            Source: e5oMWYWLig.exe, 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: #Windows 11 Microsoft Hyper-V Server
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Hides threads from debuggers
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,GetLocaleInfoA,0_2_00527680
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeCode function: GetLocaleInfoA,0_2_0052778C
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeQueries volume information: C:\Users\user\Desktop\e5oMWYWLig.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

            Stealing of Sensitive Information

            barindex
            Yara detected RedLine Stealer
            Source: Yara matchFile source: dump.pcap, type: PCAP
            Source: Yara matchFile source: 00000000.00000002.2166177161.00000000003A2000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: e5oMWYWLig.exe PID: 5776, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
            Source: C:\Users\user\Desktop\e5oMWYWLig.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
            Source: Yara matchFile source: 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: e5oMWYWLig.exe PID: 5776, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected RedLine Stealer
            Source: Yara matchFile source: dump.pcap, type: PCAP
            Source: Yara matchFile source: 00000000.00000002.2166177161.00000000003A2000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: e5oMWYWLig.exe PID: 5776, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Masquerading            		1
            OS Credential Dumping            		321
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol2
            Data from Local System            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)341
            Virtualization/Sandbox Evasion            		Security Account Manager341
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Deobfuscate/Decode Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Install Root Certificate            		Cached Domain Credentials123
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Timestomp            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            e5oMWYWLig.exe50%ReversingLabsWin32.Spyware.RedLine
            e5oMWYWLig.exe47%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://purl.oen0%URL Reputationsafe
            https://api.ip.sb/ip0%URL Reputationsafe
            http://tempuri.org/0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id15V0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id2Response2%VirustotalBrowse
            http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id12Response2%VirustotalBrowse
            http://tempuri.org/Entity/Id23ResponseD1%VirustotalBrowse
            http://tempuri.org/Entity/Id15V1%VirustotalBrowse
            http://tempuri.org/Entity/Id14ResponseD2%VirustotalBrowse
            http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id21Response4%VirustotalBrowse
            http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
            http://tempuri.org/2%VirustotalBrowse
            http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id51%VirustotalBrowse
            http://tempuri.org/Entity/Id41%VirustotalBrowse
            http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id6ResponseD1%VirustotalBrowse
            http://tempuri.org/Entity/Id61%VirustotalBrowse
            http://Certera.crt.sectigo.com/CerteraCodeSigningCA.crt00%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id81%VirustotalBrowse
            http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id71%VirustotalBrowse
            http://tempuri.org/Entity/Id19Response2%VirustotalBrowse
            http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
            http://Certera.crl.sectigo.com/CerteraCodeSigningCA.crl00%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id91%VirustotalBrowse
            http://tempuri.org/Entity/Id13ResponseD1%VirustotalBrowse
            http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id15Response2%VirustotalBrowse
            http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id5ResponseD2%VirustotalBrowse
            http://Certera.crl.sectigo.com/CerteraCodeSigningCA.crl00%VirustotalBrowse
            http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id1ResponseD1%VirustotalBrowse
            http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id201%VirustotalBrowse
            http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id9Response2%VirustotalBrowse
            http://Certera.crt.sectigo.com/CerteraCodeSigningCA.crt00%VirustotalBrowse
            http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id221%VirustotalBrowse
            http://tempuri.org/Entity/Id231%VirustotalBrowse
            http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id1Response2%VirustotalBrowse
            http://tempuri.org/Entity/Id21ResponseD1%VirustotalBrowse
            http://tempuri.org/Entity/Id6Response2%VirustotalBrowse
            http://tempuri.org/Entity/Id24Response1%VirustotalBrowse
            http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id211%VirustotalBrowse
            http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id10ResponseD1%VirustotalBrowse
            http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id241%VirustotalBrowse
            http://tempuri.org/Entity/Id141%VirustotalBrowse
            http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id111%VirustotalBrowse
            http://tempuri.org/Entity/Id101%VirustotalBrowse
            http://tempuri.org/Entity/Id121%VirustotalBrowse
            http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
            http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Texte5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://schemas.xmlsoap.org/ws/2005/02/sc/scte5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/ws/2004/04/security/sc/dke5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://duckduckgo.com/ac/?q=e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005EEA000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://tempuri.org/Entity/Id14ResponseDe5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 2%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id23ResponseDe5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinarye5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://tempuri.org/Entity/Id12Responsee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 2%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07e5oMWYWLig.exefalse
                        		high
                        http://tempuri.org/e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 2%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id2Responsee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmp, e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 2%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cre5oMWYWLig.exefalse
                          		high
                          http://tempuri.org/Entity/Id15Ve5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id21Responsee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 4%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrape5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id9e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 1%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDe5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id8e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 1%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://tempuri.org/Entity/Id6ResponseDe5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 1%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://tempuri.org/Entity/Id5e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 1%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Preparee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id4e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id7e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://purl.oene5oMWYWLig.exe, 00000000.00000002.2178278526.000000000428E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id6e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecrete5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id19Responsee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 2%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortede5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id13ResponseDe5oMWYWLig.exe, 00000000.00000002.2184967075.000000000598A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • 1%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/faulte5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2004/10/wsate5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://Certera.crt.sectigo.com/CerteraCodeSigningCA.crt0e5oMWYWLig.exefalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeye5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id15Responsee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmp, e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • 2%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://tempuri.org/Entity/Id5ResponseDe5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • 2%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://Certera.crl.sectigo.com/CerteraCodeSigningCA.crl0e5oMWYWLig.exefalse
                                                  • 0%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namee5oMWYWLig.exe, 00000000.00000002.2184967075.000000000598A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewe5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registere5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://tempuri.org/Entity/Id6Responsee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • 2%, Virustotal, Browse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeye5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://api.ip.sb/ipe5oMWYWLig.exe, 00000000.00000002.2166177161.00000000003A2000.00000040.00000001.01000000.00000003.sdmp, e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2004/04/sce5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id1ResponseDe5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • 1%, Virustotal, Browse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCe5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancele5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Entity/Id9Responsee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • 2%, Virustotal, Browse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005EEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id20e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • 1%, Virustotal, Browse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://tempuri.org/Entity/Id21e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • 1%, Virustotal, Browse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://tempuri.org/Entity/Id22e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • 1%, Virustotal, Browse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id23e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmp, e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • 1%, Virustotal, Browse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id24e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • 1%, Virustotal, Browse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issuee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id24Responsee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 1%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://www.ecosia.org/newtab/e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005EEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id1Responsee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 2%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestede5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlye5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Replaye5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoe5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binarye5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCe5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeye5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id21ResponseDe5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • 1%, Virustotal, Browse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressinge5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Completione5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/04/truste5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/Entity/Id10e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 1%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id11e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 1%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id10ResponseDe5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 1%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id12e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 1%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id16Responsee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancele5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://tempuri.org/Entity/Id13e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id14e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • 1%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id15e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id16e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/Noncee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id17e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id18e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id5Responsee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id19e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnse5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id15ResponseDe5oMWYWLig.exe, 00000000.00000002.2184967075.000000000598A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id10Responsee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/Renewe5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id11ResponseDe5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id8Responsee5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005881000.00000004.00000800.00020000.00000000.sdmp, e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeye5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0e5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDe5oMWYWLig.exe, 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high

                                                                                                                World Map of Contacted IPs

                                                                                                                • No. of IPs < 25%
                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                • 75% < No. of IPs

                                                                                                                Public IPs

                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                65.108.19.51
                                                                                                                		unknownUnited States
                                                                                                                		11022ALABANZA-BALTUStrue

                                                                                                                General Information

                                                                                                                Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                Analysis ID:1435122
                                                                                                                Start date and time:2024-05-02 06:56:07 +02:00
                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                Overall analysis duration:0h 5m 50s
                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                Report type:full
                                                                                                                Cookbook file name:default.jbs
                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                Number of analysed new started processes analysed:4
                                                                                                                Number of new started drivers analysed:0
                                                                                                                Number of existing processes analysed:0
                                                                                                                Number of existing drivers analysed:0
                                                                                                                Number of injected processes analysed:0
                                                                                                                Technologies:
                                                                                                                • HCA enabled
                                                                                                                • EGA enabled
                                                                                                                • AMSI enabled
                                                                                                                Analysis Mode:default
                                                                                                                Analysis stop reason:Timeout
                                                                                                                Sample name:e5oMWYWLig.exe
                                                                                                                renamed because original name is a hash value
                                                                                                                Original Sample Name:1C14867A6F2CD134302561E60DD2EF2E.exe
                                                                                                                Detection:MAL
                                                                                                                Classification:mal100.troj.spyw.evad.winEXE@1/5@0/1
                                                                                                                EGA Information:
                                                                                                                • Successful, ratio: 100%
                                                                                                                HCA Information:
                                                                                                                • Successful, ratio: 66%
                                                                                                                • Number of executed functions: 74
                                                                                                                • Number of non-executed functions: 17
                                                                                                                Cookbook Comments:
                                                                                                                • Found application associated with file extension: .exe

                                                                                                                Warnings

                                                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                Simulations

                                                                                                                Behavior and APIs

                                                                                                                TimeTypeDescription
                                                                                                                06:57:08API Interceptor11x Sleep call for process: e5oMWYWLig.exe modified

                                                                                                                Joe Sandbox View / Context

                                                                                                                IPs

                                                                                                                No context

                                                                                                                Domains

                                                                                                                No context

                                                                                                                ASNs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                ALABANZA-BALTUSWFdAK6HQgz.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 65.109.195.235
                                                                                                                FATURA PROFORMA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 65.108.69.93
                                                                                                                SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeGet hashmaliciousPrivateLoader, PureLog StealerBrowse
                                                                                                                • 65.108.134.122
                                                                                                                file.exeGet hashmaliciousVidarBrowse
                                                                                                                • 65.109.242.73
                                                                                                                SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exeGet hashmaliciousPhonk Miner, PureLog Stealer, VidarBrowse
                                                                                                                • 65.109.242.73
                                                                                                                file.exeGet hashmaliciousVidarBrowse
                                                                                                                • 65.109.242.73
                                                                                                                file.exeGet hashmaliciousVidarBrowse
                                                                                                                • 65.109.242.73
                                                                                                                QBv5s2bHnV.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 64.176.126.17
                                                                                                                fedex awb &Invoice.vbsGet hashmaliciousFormBookBrowse
                                                                                                                • 65.108.204.171
                                                                                                                bursocr.exeGet hashmaliciousBlackBastaBrowse
                                                                                                                • 64.176.219.106

                                                                                                                JA3 Fingerprints

                                                                                                                No context

                                                                                                                Dropped Files

                                                                                                                No context

                                                                                                                Created / dropped Files

                                                                                                                C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\e5oMWYWLig.exe
                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 13:16:50 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2104
                                                                                                                Entropy (8bit):3.454252604942066
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:8SM9l2dfTXd3RYrnvPdAKRkdAGdAKRFdAKRE:8SM9lOw
                                                                                                                MD5:87F4FC56DD0C4C6F0DE2681608C5C56A
                                                                                                                SHA1:3F64EDDBAE5DEF9898082DD832ED9D10B83CFBD4
                                                                                                                SHA-256:0EF1D214E514A0320758B1FE9549E384C5EDEEA72DD7ABB640A5F31A18DAD53E
                                                                                                                SHA-512:CEF8F3A738713A7BE5A4684811BB63822F1EBEF5B2118AC99F24E0EA7DAEDA230700EDB991BF5A5CF4B635B19A8D7BB7BCF0D869E01252CFDAFA5B7D7B994E7D
                                                                                                                Malicious:false
                                                                                                                Reputation:low
                                                                                                                Preview:L..................F.@.. ......,.......j.......q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IDW.r....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWUl....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWUl....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWUl..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDW.r..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e5oMWYWLig.exe.log

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\e5oMWYWLig.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):3274
                                                                                                                Entropy (8bit):5.3318368586986695
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
                                                                                                                MD5:0B2E58EF6402AD69025B36C36D16B67F
                                                                                                                SHA1:5ECC642327EF5E6A54B7918A4BD7B46A512BF926
                                                                                                                SHA-256:4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
                                                                                                                SHA-512:1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
                                                                                                                Malicious:false
                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                C:\Users\user\AppData\Local\Temp\TmpF32B.tmp

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\e5oMWYWLig.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2662
                                                                                                                Entropy (8bit):7.8230547059446645
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                Malicious:false
                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                C:\Users\user\AppData\Local\Temp\TmpF33B.tmp

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\e5oMWYWLig.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2662
                                                                                                                Entropy (8bit):7.8230547059446645
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                Malicious:false
                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\e5oMWYWLig.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2251
                                                                                                                Entropy (8bit):0.0
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3::
                                                                                                                MD5:0158FE9CEAD91D1B027B795984737614
                                                                                                                SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                                                                                                                SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                                                                                                                SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                                                                                                                Malicious:false
                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                Entropy (8bit):7.911893966908288
                                                                                                                TrID:
                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                File name:e5oMWYWLig.exe
                                                                                                                File size:6'182'064 bytes
                                                                                                                MD5:1c14867a6f2cd134302561e60dd2ef2e
                                                                                                                SHA1:2127a62fcb303ed0d3c9d331cf065c67d7c0bb28
                                                                                                                SHA256:177a882c7576a1deba30eebad7a241e989d0ee2e6f7662c2571e5c45ba8d1829
                                                                                                                SHA512:0031646c662ad4f1082b7e711ac9b2b86190dd031a61fc7fdbeba4abc1fca4c9e2438c8c5c87ef34db3cd62c303e4aa711d4076675318e70aa70e641f752bc37
                                                                                                                SSDEEP:98304:Lb19ov2iGedTohSxtTs3fVd0lPhjp9oPYLEEibe9jIPIhiUgsPoTDBZ33CrKOk3o:XfoOACSxTlaGFjIeiUlPoTDBhgk4
                                                                                                                TLSH:1356337186C82258E50E457C71E0D821FDFB83E8756899293EF78C88193E6DDBB11FA4
                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0......B......./... ........@.. .......................`... ..tT....@... .. .... .. .......... 0U....

                                                                                                                File Icon

                                                                                                                Icon Hash:4eb3693b332b4d0d

                                                                                                                Static PE Info

                                                                                                                General

                                                                                                                Entrypoint:0x1eb2fa0
                                                                                                                Entrypoint Section:.data
                                                                                                                Digitally signed:true
                                                                                                                Imagebase:0x400000
                                                                                                                Subsystem:windows gui
                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                Time Stamp:0xD784B6A9 [Sun Jul 30 12:35:53 2084 UTC]
                                                                                                                TLS Callbacks:
                                                                                                                CLR (.Net) Version:
                                                                                                                OS Version Major:4
                                                                                                                OS Version Minor:0
                                                                                                                File Version Major:4
                                                                                                                File Version Minor:0
                                                                                                                Subsystem Version Major:4
                                                                                                                Subsystem Version Minor:0
                                                                                                                Import Hash:2e5467cba76f44a088d39f78c5e807b6

                                                                                                                Authenticode Signature

                                                                                                                Signature Valid:
                                                                                                                Signature Issuer:
                                                                                                                Signature Validation Error:
                                                                                                                Error Number:
                                                                                                                Not Before, Not After
                                                                                                                  Subject Chain
                                                                                                                    Version:
                                                                                                                    Thumbprint MD5:
                                                                                                                    Thumbprint SHA-1:
                                                                                                                    Thumbprint SHA-256:
                                                                                                                    Serial:

                                                                                                                    Entrypoint Preview

                                                                                                                    Instruction
                                                                                                                    jmp 00007F3A44D1C86Ah
                                                                                                                    add ah, bl
                                                                                                                    add al, 00h
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    pushad
                                                                                                                    call 00007F3A44D1C865h
                                                                                                                    pop ebp
                                                                                                                    sub ebp, 00000010h
                                                                                                                    sub ebp, 01AB2FA0h
                                                                                                                    jmp 00007F3A44D1C869h
                                                                                                                    mov ch, 7Dh
                                                                                                                    or eax, 2FA0B885h
                                                                                                                    stosd
                                                                                                                    add dword ptr [ebx], eax
                                                                                                                    lds eax, fword ptr [ecx+00004CC0h]
                                                                                                                    add byte ptr [ecx+000005BAh], bh
                                                                                                                    mov edx, 72CC3ACBh
                                                                                                                    xor byte ptr [eax], dl
                                                                                                                    inc eax
                                                                                                                    dec ecx
                                                                                                                    jne 00007F3A44D1C85Ch
                                                                                                                    jmp 00007F3A44D1C869h
                                                                                                                    inc ebp
                                                                                                                    xchg dword ptr [esi], ecx
                                                                                                                    loopne 00007F3A44D1C8A2h
                                                                                                                    push es
                                                                                                                    inc eax
                                                                                                                    inc edx
                                                                                                                    test ebx, 0A4ACBCBh
                                                                                                                    xor ecx, ebx
                                                                                                                    retf
                                                                                                                    retf
                                                                                                                    enter 7306h, CFh
                                                                                                                    retf
                                                                                                                    retf
                                                                                                                    retf
                                                                                                                    jno 00007F3A44D1C845h
                                                                                                                    retf
                                                                                                                    retf
                                                                                                                    retf
                                                                                                                    cmp al, 29h
                                                                                                                    enter 4003h, 4Ah

                                                                                                                    Data Directories

                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x15530200xda5.data
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1553dc80x210.data
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x360000x3f18.rsrc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x28ab38b00x1c00
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x15530000xc.data
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                    Sections

                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                    0x20000x2e0000x1520029e390c5deb8d6552d2d1d58896c6b9dFalse0.9959435096153846data7.994253282361942IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    0x300000x40000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    0x340000x20000x20051ddd295f0cdc9d97f54428c66d93cf5False0.056640625data0.30531305731160896IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    .rsrc0x360000x40000x40007c169dd300b0b8765af4447cdb1852daFalse0.95172119140625data7.799589109648368IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                    0x3a0000x15160000x3280006bcd0662ea3f756e19b0ecff0caa25funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    .data0x15500000x5660000x564800044862db000fa81e201835fd5d8344b6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                    Resources

                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                    RT_ICON0x361580x3ab4PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9975379291988289
                                                                                                                    RT_GROUP_ICON0x39c0c0x14data1.05
                                                                                                                    RT_VERSION0x39c200x2f8dataEnglishUnited States0.45789473684210524

                                                                                                                    Imports

                                                                                                                    DLLImport
                                                                                                                    kernel32.dllGetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
                                                                                                                    user32.dllMessageBoxA
                                                                                                                    advapi32.dllRegCloseKey
                                                                                                                    oleaut32.dllSysFreeString
                                                                                                                    gdi32.dllCreateFontA
                                                                                                                    shell32.dllShellExecuteA
                                                                                                                    version.dllGetFileVersionInfoA
                                                                                                                    mscoree.dll_CorExeMain

                                                                                                                    Possible Origin

                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                    EnglishUnited States

                                                                                                                    Network Behavior

                                                                                                                    Snort IDS Alerts

                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                    05/02/24-06:56:53.815978TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response371494970565.108.19.51192.168.2.5
                                                                                                                    05/02/24-06:56:53.631841TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4970537149192.168.2.565.108.19.51
                                                                                                                    05/02/24-06:57:10.322331TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4970537149192.168.2.565.108.19.51

                                                                                                                    Network Port Distribution

                                                                                                                    TCP Packets

                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    May 2, 2024 06:56:53.167841911 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:56:53.351389885 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:56:53.351547003 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:56:53.370419025 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:56:53.553781033 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:56:53.605027914 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:56:53.631840944 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:56:53.815978050 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:56:53.901895046 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:56:58.929589987 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:56:59.115216970 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:56:59.115236998 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:56:59.115252018 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:56:59.115269899 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:56:59.115283012 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:56:59.115298033 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:56:59.115334988 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:56:59.286521912 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:56:59.472112894 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:56:59.519787073 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:56:59.704936981 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:56:59.745635986 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:56:59.784133911 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:56:59.967746973 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:56:59.977780104 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:00.161820889 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:00.170412064 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:00.355149031 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:00.403198004 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:01.559191942 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:01.742882967 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:01.742904902 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:01.743005991 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:01.743102074 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:01.743148088 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:01.880485058 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:01.880553007 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:01.929367065 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:01.929379940 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:01.929481030 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:01.929482937 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:01.929531097 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:01.929655075 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:01.929704905 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.064466953 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.064548969 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.112976074 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.113114119 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.113823891 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.113950968 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.114995003 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.115005970 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.115083933 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.115106106 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.115288019 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.115648985 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.115720987 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.115793943 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.115881920 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.178833961 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.178900003 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.248315096 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.248374939 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.297363043 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.297380924 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.297430038 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.297477961 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.297724009 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.298088074 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.298135042 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.298950911 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.298962116 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.299026966 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.299112082 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.299340963 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.363526106 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.363593102 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.432549953 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.432617903 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.481662035 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.481796980 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.481895924 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.482938051 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.483006954 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.484075069 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.484117985 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.484132051 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.484266996 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.486079931 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.486136913 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.547723055 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.549734116 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.615722895 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.615817070 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.617110014 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.617214918 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.665040016 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.665124893 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.665153980 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.665199995 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.665256023 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.665611982 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.665654898 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.665966034 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.666027069 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.667093992 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.667165041 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.667382002 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.667458057 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.669717073 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.669774055 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.732657909 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.733705044 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.800158024 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.800229073 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.800288916 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.800353050 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.848378897 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.848427057 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.848439932 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.848515987 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.849318981 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.849375963 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.850214005 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.850743055 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.850809097 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.852974892 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.853039026 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.916703939 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.916775942 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:02.983695984 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:02.983818054 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.031886101 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.031935930 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.031995058 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.032221079 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.032293081 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.032799959 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.032844067 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.033396959 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.033406019 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.033416033 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.033468008 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.033883095 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.033891916 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.033951044 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.034050941 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.034076929 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.034123898 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.036750078 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.036803007 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.167583942 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.169749975 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.216248035 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.216335058 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.216543913 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.216615915 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.217020988 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.217073917 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.217205048 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.217258930 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.217432022 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.217489958 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.217703104 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.217747927 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.218884945 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.218950987 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.219058990 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.220475912 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.220535994 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.352945089 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.353025913 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.399427891 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.399561882 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.399861097 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.400150061 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.400265932 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.400335073 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.400610924 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.401021004 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.402198076 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.403736115 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.410017967 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.410130978 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.537107944 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.537184000 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.594424009 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.594439983 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.594444990 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.594721079 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.599767923 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.599778891 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.599837065 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.722316027 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.722388029 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.779299974 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.779345036 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.779386997 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.779429913 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:03.780446053 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.780492067 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.783626080 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.784008980 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.787838936 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.788973093 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.907025099 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.962709904 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.962822914 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.962833881 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.963068962 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.963562012 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.964344978 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:03.966464043 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:04.011249065 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:04.033220053 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:04.216423988 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:04.216551065 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:04.216995001 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:04.261259079 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:04.383299112 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:04.568161011 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:04.620706081 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:04.708336115 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:04.893088102 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:04.893157005 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:04.893306971 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:04.895680904 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:04.896864891 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:04.899431944 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:05.085478067 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:05.136398077 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:07.936264992 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:08.120876074 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:08.124527931 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:08.308824062 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:08.495753050 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:08.672426939 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:08.677963018 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:08.678004026 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:08.856179953 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:08.995707989 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:09.178170919 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:09.178221941 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:09.763425112 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:09.947092056 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:09.952728987 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:10.136770010 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:10.137254000 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:10.321562052 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:10.322330952 CEST4970537149192.168.2.565.108.19.51
                                                                                                                    May 2, 2024 06:57:10.506232023 CEST371494970565.108.19.51192.168.2.5
                                                                                                                    May 2, 2024 06:57:10.565507889 CEST4970537149192.168.2.565.108.19.51

                                                                                                                    Statistics

                                                                                                                    CPU Usage

                                                                                                                    Click to jump to process

                                                                                                                    Memory Usage

                                                                                                                    Click to jump to process

                                                                                                                    High Level Behavior Distribution

                                                                                                                    Click to dive into process behavior distribution

                                                                                                                    System Behavior

                                                                                                                    General

                                                                                                                    Target ID:0
                                                                                                                    Start time:06:56:48
                                                                                                                    Start date:02/05/2024
                                                                                                                    Path:C:\Users\user\Desktop\e5oMWYWLig.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Users\user\Desktop\e5oMWYWLig.exe"
                                                                                                                    Imagebase:0x3a0000
                                                                                                                    File size:6'182'064 bytes
                                                                                                                    MD5 hash:1C14867A6F2CD134302561E60DD2EF2E
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:Borland Delphi
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2166177161.00000000003A2000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2184967075.0000000005927000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true

                                                                                                                    Disassembly

                                                                                                                    Reset < >

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:6%
                                                                                                                      Dynamic/Decrypted Code Coverage:92.9%
                                                                                                                      Signature Coverage:0%
                                                                                                                      Total number of Nodes:28
                                                                                                                      Total number of Limit Nodes:1
                                                                                                                      execution_graph 44895 4d6ce40 44896 4d6ce86 44895->44896 44900 4d6d020 44896->44900 44903 4d6d00f 44896->44903 44897 4d6cf73 44902 4d6d04e 44900->44902 44906 4d6c9d0 44900->44906 44902->44897 44904 4d6c9d0 DuplicateHandle 44903->44904 44905 4d6d04e 44904->44905 44905->44897 44907 4d6d088 DuplicateHandle 44906->44907 44908 4d6d11e 44907->44908 44908->44902 44912 4d64668 44913 4d64684 44912->44913 44914 4d64696 44913->44914 44916 4d647a0 44913->44916 44917 4d647c5 44916->44917 44921 4d648b0 44917->44921 44925 4d648a1 44917->44925 44922 4d648d7 44921->44922 44923 4d649b4 44922->44923 44929 4d64248 44922->44929 44927 4d648b0 44925->44927 44926 4d649b4 44926->44926 44927->44926 44928 4d64248 CreateActCtxA 44927->44928 44928->44926 44930 4d65940 CreateActCtxA 44929->44930 44932 4d65a03 44930->44932 44909 531b8c 44910 531b99 VirtualAlloc 44909->44910

                                                                                                                      Executed Functions

                                                                                                                      Function 00527680 Relevance: 2.7, Strings: 2, Instructions: 184COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1277 527680-5276c1 call 5240dc call 52412c 1282 527703-527746 call 5274c8 call 524134 1277->1282 1283 5276c3-5276df call 52412c 1277->1283 1293 52776a-527784 call 524124 1282->1293 1294 527748-527764 call 524134 1282->1294 1283->1282 1288 5276e1-5276fd call 52412c 1283->1288 1288->1282 1296 52778c-5277af call 524114 call 5240fc call 5240d4 1288->1296 1294->1293 1301 527766 1294->1301 1306 5277b4-5277bd 1296->1306 1301->1293 1307 5277c3-5277c7 1306->1307 1308 5278a6-5278ad 1306->1308 1309 5277d3-5277e9 call 52411c 1307->1309 1310 5277c9-5277cd 1307->1310 1313 5277ec-5277ef 1309->1313 1310->1308 1310->1309 1314 5277f1-5277f9 1313->1314 1315 5277fb-527803 1313->1315 1314->1315 1316 5277eb 1314->1316 1315->1308 1317 527809-52780e 1315->1317 1316->1313 1318 527810-527836 call 524114 call 524104 1317->1318 1319 527838-52783a 1317->1319 1318->1319 1319->1308 1321 52783c-527840 1319->1321 1321->1308 1323 527842-527872 call 524114 call 524104 1321->1323 1323->1308 1330 527874-5278a4 call 524114 call 524104 1323->1330 1330->1308
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2166258335.0000000000524000.00000040.00000001.01000000.00000003.sdmp, Offset: 003DA000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2166258335.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2166258335.00000000005B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2166258335.00000000011CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_3da000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                      • API String ID: 0-2375825460
                                                                                                                      • Opcode ID: 5a2bd7e358dd71e1880f307339c5a87f936b9d05fa3688705b480798fbaff360
                                                                                                                      • Instruction ID: 0c1d961a800a42c00ca8f87529fc3f22bbd35be4e296c8a5c460278f58598588
                                                                                                                      • Opcode Fuzzy Hash: 5a2bd7e358dd71e1880f307339c5a87f936b9d05fa3688705b480798fbaff360
                                                                                                                      • Instruction Fuzzy Hash: 71514B71A4426D7AEB25D6A4EC4BFEF7EACEF4A740F4400A1B604E61C1D6749E84CF60
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E3F50 Relevance: 1.8, Strings: 1, Instructions: 528COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1429 90e3f50-90e3f84 1432 90e3f86-90e3f8f 1429->1432 1433 90e3f92-90e3fa5 1429->1433 1432->1433 1434 90e3fab-90e3fae 1433->1434 1435 90e4215-90e4219 1433->1435 1439 90e3fbd-90e3fc9 1434->1439 1440 90e3fb0-90e3fb5 1434->1440 1436 90e422e-90e4238 1435->1436 1437 90e421b-90e422b 1435->1437 1437->1436 1441 90e3fcf-90e3fe1 1439->1441 1442 90e4253-90e4299 1439->1442 1440->1439 1447 90e414d-90e415b 1441->1447 1448 90e3fe7-90e403a 1441->1448 1449 90e429b-90e42a5 1442->1449 1450 90e42a8-90e42d0 1442->1450 1453 90e41e0-90e41e2 1447->1453 1454 90e4161-90e416f 1447->1454 1478 90e403c-90e4048 call 90e3c88 1448->1478 1479 90e404a 1448->1479 1449->1450 1472 90e42d6-90e42ef 1450->1472 1473 90e4425-90e4443 1450->1473 1459 90e41e4-90e41ea 1453->1459 1460 90e41f0-90e41fc 1453->1460 1457 90e417e-90e418a 1454->1457 1458 90e4171-90e4176 1454->1458 1457->1442 1465 90e4190-90e41bf 1457->1465 1458->1457 1463 90e41ee 1459->1463 1464 90e41ec 1459->1464 1470 90e41fe-90e420f 1460->1470 1463->1460 1464->1460 1485 90e41d0-90e41de 1465->1485 1486 90e41c1-90e41ce 1465->1486 1470->1434 1470->1435 1490 90e4406-90e441f 1472->1490 1491 90e42f5-90e430b 1472->1491 1487 90e44ae-90e44b8 1473->1487 1488 90e4445-90e4467 1473->1488 1482 90e404c-90e405c 1478->1482 1479->1482 1496 90e405e-90e4075 1482->1496 1497 90e4077-90e4079 1482->1497 1485->1435 1486->1485 1510 90e44b9-90e450a 1488->1510 1511 90e4469-90e4485 1488->1511 1490->1472 1490->1473 1491->1490 1508 90e4311-90e435f 1491->1508 1496->1497 1500 90e407b-90e4089 1497->1500 1501 90e40c2-90e40c4 1497->1501 1500->1501 1513 90e408b-90e409d 1500->1513 1504 90e40c6-90e40d0 1501->1504 1505 90e40d2-90e40e2 1501->1505 1504->1505 1521 90e411b-90e4127 1504->1521 1516 90e410d-90e4110 1505->1516 1517 90e40e4-90e40f2 1505->1517 1557 90e4389-90e43ad 1508->1557 1558 90e4361-90e4387 1508->1558 1546 90e450c-90e4528 1510->1546 1547 90e452a-90e4568 1510->1547 1523 90e44a9-90e44ac 1511->1523 1528 90e409f-90e40a1 1513->1528 1529 90e40a3-90e40a7 1513->1529 1578 90e4113 call 90e48a8 1516->1578 1579 90e4113 call 90e48b8 1516->1579 1533 90e40f4-90e4103 1517->1533 1534 90e4105-90e4108 1517->1534 1521->1470 1535 90e412d-90e4148 1521->1535 1523->1487 1531 90e4493-90e4496 1523->1531 1527 90e4119 1527->1521 1532 90e40ad-90e40bc 1528->1532 1529->1532 1531->1510 1536 90e4498-90e44a8 1531->1536 1532->1501 1545 90e4239-90e424c 1532->1545 1533->1521 1534->1435 1535->1435 1536->1523 1545->1442 1546->1547 1567 90e43df-90e43f8 1557->1567 1568 90e43af-90e43c6 1557->1568 1558->1557 1570 90e43fa 1567->1570 1571 90e4403-90e4404 1567->1571 1575 90e43c8-90e43cb 1568->1575 1576 90e43d2-90e43dd 1568->1576 1570->1571 1571->1490 1575->1576 1576->1567 1576->1568 1578->1527 1579->1527
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: $]q
                                                                                                                      • API String ID: 0-1007455737
                                                                                                                      • Opcode ID: 30cdaa726708711088f2dc225d4d6c3a4224ec260370123a7f716cb4d752ceea
                                                                                                                      • Instruction ID: ae080296868b49285a2952ca59bef82c90de57e1792b3734949e5af0f4c78332
                                                                                                                      • Opcode Fuzzy Hash: 30cdaa726708711088f2dc225d4d6c3a4224ec260370123a7f716cb4d752ceea
                                                                                                                      • Instruction Fuzzy Hash: A9125E34B002158FCB54DF79C884AAEBBF6BF88710B158569E906EB365DB74EC01CB90
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EA3C8 Relevance: 1.5, Strings: 1, Instructions: 299COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: d
                                                                                                                      • API String ID: 0-367370944
                                                                                                                      • Opcode ID: e30c8d54b170b42826bd2fc420b90df3181f919f7dc951234c765e81cef8f4f6
                                                                                                                      • Instruction ID: a07775da272cbf8721ebffce7fb3c04588961d5ea0541441c1a912dd6ad628ce
                                                                                                                      • Opcode Fuzzy Hash: e30c8d54b170b42826bd2fc420b90df3181f919f7dc951234c765e81cef8f4f6
                                                                                                                      • Instruction Fuzzy Hash: B6D10434A00358CFCB19EFB4D854AADBBB2FF8A305F1091A9D41AAB254DB319985CF51
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EA3E8 Relevance: 1.5, Strings: 1, Instructions: 289COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: d
                                                                                                                      • API String ID: 0-367370944
                                                                                                                      • Opcode ID: 5d7ac4be8450f12e0c2db05f1d88ce5607c9ea962adf51e93876233f4b40256b
                                                                                                                      • Instruction ID: c4c459deeb18ccc02bd7c982219e75f82dcdce34d48a90c3d11c2ff27bd3a6b3
                                                                                                                      • Opcode Fuzzy Hash: 5d7ac4be8450f12e0c2db05f1d88ce5607c9ea962adf51e93876233f4b40256b
                                                                                                                      • Instruction Fuzzy Hash: 41D1F534E00258CFCB19EFB4D858A9DBBB2FF8A305F5091A9D41AAB354DB319885CF51
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 0052778C Relevance: .1, Instructions: 98COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2166258335.0000000000524000.00000040.00000001.01000000.00000003.sdmp, Offset: 003DA000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2166258335.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2166258335.00000000005B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2166258335.00000000011CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_3da000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                      • API String ID: 0-2375825460
                                                                                                                      • Opcode ID: 2027446ae3fe7b74105be6e5cea2dc2c67e3da7c9e9ba6af6c3613d291ad1c6d
                                                                                                                      • Instruction ID: fee0a934d25a50f594944a1adda8e3a31b8b150b367f67bd71976749fbc22404
                                                                                                                      • Opcode Fuzzy Hash: 2027446ae3fe7b74105be6e5cea2dc2c67e3da7c9e9ba6af6c3613d291ad1c6d
                                                                                                                      • Instruction Fuzzy Hash: D9318972E0417D6AEB25D6B4AC4FFDE7EADAF4A340F4401A1A604E61C5EA748F84CF50
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090C1BA0 Relevance: 31.4, Strings: 24, Instructions: 1439COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 294 90c1ba0-90c1bc3 295 90c1bc5-90c1bc7 294->295 296 90c1bd1-90c1c2d 294->296 295->296 301 90c2056-90c209e 296->301 302 90c1c33-90c1c69 296->302 305 90c20b6-90c2119 301->305 306 90c20a0-90c20a6 301->306 302->301 314 90c1c6f-90c1ca5 302->314 324 90c211f-90c2139 305->324 325 90c2ea1-90c2ee8 305->325 308 90c20a8 306->308 309 90c20aa-90c20b4 306->309 308->305 309->305 314->301 321 90c1cab-90c1ce2 314->321 321->301 336 90c1ce8-90c1d1e 321->336 324->325 331 90c213f-90c216f 324->331 329 90c2eea-90c2ef0 325->329 330 90c2f00-90c2f78 325->330 333 90c2ef4-90c2efe 329->333 334 90c2ef2 329->334 355 90c2f7a-90c2fa0 330->355 356 90c2fa2-90c2fa9 330->356 345 90c2189-90c21d5 331->345 346 90c2171-90c2187 331->346 333->330 334->330 336->301 349 90c1d24-90c1d5a 336->349 358 90c21dc-90c21f9 345->358 346->358 349->301 367 90c1d60-90c1d9e 349->367 355->356 358->325 365 90c21ff-90c2235 358->365 374 90c224f-90c229b 365->374 375 90c2237-90c224d 365->375 367->301 376 90c1da4-90c1ded 367->376 383 90c22a2-90c22bf 374->383 375->383 376->301 393 90c1df3-90c1e29 376->393 383->325 388 90c22c5-90c22fb 383->388 396 90c22fd-90c2313 388->396 397 90c2315-90c2361 388->397 393->301 402 90c1e2f-90c1e65 393->402 405 90c2368-90c2385 396->405 397->405 402->301 414 90c1e6b-90c1ea1 402->414 405->325 411 90c238b-90c23c1 405->411 419 90c23db-90c2427 411->419 420 90c23c3-90c23d9 411->420 414->301 424 90c1ea7-90c1edd 414->424 428 90c242e-90c244b 419->428 420->428 424->301 436 90c1ee3-90c1efa 424->436 428->325 432 90c2451-90c2487 428->432 441 90c2489-90c249f 432->441 442 90c24a1-90c24f9 432->442 436->301 439 90c1f00-90c1f32 436->439 451 90c1f5c-90c1f9e 439->451 452 90c1f34-90c1f5a 439->452 450 90c2500-90c251d 441->450 442->450 450->325 458 90c2523-90c2559 450->458 468 90c1fbc-90c1fc8 451->468 469 90c1fa0-90c1fb6 451->469 464 90c1fce-90c2001 452->464 471 90c255b-90c2571 458->471 472 90c2573-90c25d1 458->472 464->301 479 90c2003-90c2039 464->479 468->464 469->468 480 90c25d8-90c25f5 471->480 472->480 479->301 489 90c203b-90c2053 479->489 480->325 485 90c25fb-90c2631 480->485 493 90c264b-90c26a9 485->493 494 90c2633-90c2649 485->494 499 90c26b0-90c26cd 493->499 494->499 499->325 503 90c26d3-90c2709 499->503 507 90c270b-90c2721 503->507 508 90c2723-90c2781 503->508 513 90c2788-90c27a5 507->513 508->513 513->325 517 90c27ab-90c27c5 513->517 517->325 519 90c27cb-90c27fb 517->519 523 90c27fd-90c2813 519->523 524 90c2815-90c2873 519->524 529 90c287a-90c2897 523->529 524->529 529->325 532 90c289d-90c28b7 529->532 532->325 535 90c28bd-90c28ed 532->535 539 90c28ef-90c2905 535->539 540 90c2907-90c2965 535->540 545 90c296c-90c2989 539->545 540->545 545->325 549 90c298f-90c29a9 545->549 549->325 551 90c29af-90c29df 549->551 555 90c29f9-90c2a57 551->555 556 90c29e1-90c29f7 551->556 561 90c2a5e-90c2a7b 555->561 556->561 561->325 565 90c2a81-90c2ab7 561->565 569 90c2ab9-90c2acf 565->569 570 90c2ad1-90c2b2f 565->570 575 90c2b36-90c2b53 569->575 570->575 575->325 578 90c2b59-90c2b8f 575->578 583 90c2ba9-90c2c07 578->583 584 90c2b91-90c2ba7 578->584 589 90c2c0e-90c2c2b 583->589 584->589 589->325 593 90c2c31-90c2c67 589->593 597 90c2c69-90c2c7f 593->597 598 90c2c81-90c2cdf 593->598 603 90c2ce6-90c2d03 597->603 598->603 603->325 606 90c2d09-90c2d3f 603->606 611 90c2d59-90c2db7 606->611 612 90c2d41-90c2d57 606->612 617 90c2dbe-90c2ddb 611->617 612->617 617->325 621 90c2de1-90c2e13 617->621 625 90c2e2d-90c2e82 621->625 626 90c2e15-90c2e2b 621->626 631 90c2e89-90c2e9e 625->631 626->631
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199538564.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90c0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: hOp$hOp$hOp$hOp$hOp$hOp$hOp$hOp$hOp$hOp$hOp$hOp$hOp$hOp$hOp$hOp$hOp$hOp$hOp$hOp$hOp$x>p$x>p$x>p
                                                                                                                      • API String ID: 0-182128784
                                                                                                                      • Opcode ID: 0488195f6b2be0b78029e125e147536eccc7ea2707454ec03705cae8205e261a
                                                                                                                      • Instruction ID: af99c54774205896b543be1be77a7c40766ebf9e7c80764c86c4d7ac2ce7883d
                                                                                                                      • Opcode Fuzzy Hash: 0488195f6b2be0b78029e125e147536eccc7ea2707454ec03705cae8205e261a
                                                                                                                      • Instruction Fuzzy Hash: 1FC26D70A402189FCB15DF68C954EEEBBB6FF88700F108499E616AB3A1DB71ED41CB51
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090C3838 Relevance: 22.3, Strings: 17, Instructions: 1011COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 635 90c3838-90c384b 636 90c384d-90c3853 635->636 637 90c3863-90c38ab 635->637 638 90c3855 636->638 639 90c3857-90c3861 636->639 645 90c38b1-90c38e8 637->645 646 90c39b3-90c39e8 637->646 638->637 639->637 645->646 658 90c38ee-90c3905 645->658 649 90c39ea-90c39f0 646->649 650 90c3a00-90c3a4c 646->650 651 90c39f4-90c39fe 649->651 652 90c39f2 649->652 664 90c3b61-90c3b96 650->664 665 90c3a52-90c3a8b 650->665 651->650 652->650 658->646 661 90c390b-90c39b0 658->661 669 90c3bae-90c3bf5 664->669 670 90c3b98-90c3b9e 664->670 665->664 679 90c3a91-90c3aca 665->679 687 90c3bfb-90c3c32 669->687 688 90c3c85-90c3cce 669->688 671 90c3ba0 670->671 672 90c3ba2-90c3bac 670->672 671->669 672->669 679->664 693 90c3ad0-90c3b09 679->693 687->688 707 90c3c34-90c3c6a 687->707 695 90c3ce6-90c3d3f 688->695 696 90c3cd0-90c3cd6 688->696 693->664 710 90c3b0b-90c3b44 693->710 716 90c3d45-90c3d84 695->716 717 90c42e7-90c4378 695->717 698 90c3cd8 696->698 699 90c3cda-90c3ce4 696->699 698->695 699->695 707->688 721 90c3c6c-90c3c82 707->721 710->664 726 90c3b46-90c3b5e 710->726 716->717 732 90c3d8a-90c3da6 716->732 741 90c437e-90c439a 717->741 742 90c4449-90c4450 717->742 732->717 735 90c3dac-90c3de3 732->735 744 90c3e0e-90c3e75 735->744 745 90c3de5-90c3e09 735->745 750 90c439c-90c43c0 741->750 751 90c43c2-90c4400 741->751 762 90c3e97-90c3ea5 744->762 763 90c3e77-90c3e91 744->763 758 90c3eab-90c3ec5 745->758 768 90c442a-90c4443 750->768 771 90c441b-90c4424 751->771 772 90c4402-90c4415 751->772 758->717 765 90c3ecb-90c3f02 758->765 762->758 763->762 777 90c3f2d-90c3f90 765->777 778 90c3f04-90c3f28 765->778 768->741 768->742 771->768 772->771 788 90c3fb2-90c3fc0 777->788 789 90c3f92-90c3fac 777->789 785 90c3fc6-90c3fe0 778->785 785->717 790 90c3fe6-90c401d 785->790 788->785 789->788 794 90c401f-90c4043 790->794 795 90c4048-90c40ab 790->795 802 90c40e1-90c40fb 794->802 805 90c40cd-90c40db 795->805 806 90c40ad-90c40c7 795->806 802->717 807 90c4101-90c4138 802->807 805->802 806->805 811 90c413a-90c415e 807->811 812 90c4163-90c41c6 807->812 819 90c41fc-90c4216 811->819 822 90c41e8-90c41f6 812->822 823 90c41c8-90c41e2 812->823 819->717 824 90c421c-90c4250 819->824 822->819 823->822 828 90c4278-90c42c8 824->828 829 90c4252-90c4276 824->829 836 90c42cf-90c42e4 828->836 829->836
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199538564.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90c0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: (>p$(>p$,Bp$0=p$DBp$H=p$PHp$PHp$PHp$PHp$\Bp$hJp$t=p$t=p$t=p$t=p$tBp
                                                                                                                      • API String ID: 0-728374101
                                                                                                                      • Opcode ID: 41872463fe385bfae6e8c12e40c85a7d6135e1f61824d0335c24444c65d9d0b9
                                                                                                                      • Instruction ID: 4fefd21f64db3a3eb7fa2f6bd92d76b5fe1ceeec7639da6b95c92f805d1a988f
                                                                                                                      • Opcode Fuzzy Hash: 41872463fe385bfae6e8c12e40c85a7d6135e1f61824d0335c24444c65d9d0b9
                                                                                                                      • Instruction Fuzzy Hash: 53824871B002049FCB04DB68C995E6EBBFAFF89700F158499E605DB3A2DA71ED45CB60
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090C0D80 Relevance: 21.9, Strings: 17, Instructions: 618COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 839 90c0d80-90c0dcb 844 90c0efd-90c0f10 839->844 845 90c0dd1-90c0dd3 839->845 848 90c1006-90c1011 844->848 849 90c0f16-90c0f25 844->849 846 90c0dd6-90c0de5 845->846 852 90c0e9d-90c0ea1 846->852 853 90c0deb-90c0e1d 846->853 851 90c1019-90c1022 848->851 858 90c0f2b-90c0f51 849->858 859 90c0fd1-90c0fd5 849->859 854 90c0eb0 852->854 855 90c0ea3-90c0eae 852->855 889 90c0e1f-90c0e24 853->889 890 90c0e26-90c0e2d 853->890 857 90c0eb5-90c0eb8 854->857 855->857 857->851 864 90c0ebe-90c0ec2 857->864 886 90c0f5a-90c0f61 858->886 887 90c0f53-90c0f58 858->887 861 90c0fe4 859->861 862 90c0fd7-90c0fe2 859->862 866 90c0fe6-90c0fe8 861->866 862->866 867 90c0ec4-90c0ecf 864->867 868 90c0ed1 864->868 871 90c1039-90c10b5 866->871 872 90c0fea-90c0ff4 866->872 873 90c0ed3-90c0ed5 867->873 868->873 921 90c1189-90c119c 871->921 922 90c10bb-90c10bd 871->922 885 90c0ff7-90c1000 872->885 874 90c0edb-90c0ee5 873->874 875 90c1025-90c1032 873->875 888 90c0ee8-90c0ef2 874->888 875->871 885->848 885->849 893 90c0f86-90c0faa 886->893 894 90c0f63-90c0f84 886->894 892 90c0fc5-90c0fcf 887->892 888->846 898 90c0ef8 888->898 897 90c0e91-90c0e9b 889->897 895 90c0e2f-90c0e50 890->895 896 90c0e52-90c0e76 890->896 892->885 912 90c0fac-90c0fb2 893->912 913 90c0fc2 893->913 894->892 895->897 914 90c0e8e 896->914 915 90c0e78-90c0e7e 896->915 897->888 898->851 916 90c0fb4 912->916 917 90c0fb6-90c0fb8 912->917 913->892 914->897 918 90c0e80 915->918 919 90c0e82-90c0e84 915->919 916->913 917->913 918->914 919->914 926 90c1234-90c123f 921->926 927 90c11a2-90c11b1 921->927 923 90c10c0-90c10cf 922->923 928 90c1129-90c112d 923->928 929 90c10d1-90c10fe 923->929 930 90c1247-90c1250 926->930 936 90c11ff-90c1203 927->936 937 90c11b3-90c11dc 927->937 931 90c113c 928->931 932 90c112f-90c113a 928->932 954 90c1104-90c1106 929->954 935 90c1141-90c1144 931->935 932->935 935->930 941 90c114a-90c114e 935->941 939 90c1205-90c1210 936->939 940 90c1212 936->940 957 90c11de-90c11e4 937->957 958 90c11f4-90c11fd 937->958 945 90c1214-90c1216 939->945 940->945 943 90c115d 941->943 944 90c1150-90c115b 941->944 947 90c115f-90c1161 943->947 944->947 949 90c1218-90c1222 945->949 950 90c1267-90c12af 945->950 952 90c1167-90c1171 947->952 953 90c1253-90c1260 947->953 962 90c1225-90c122e 949->962 975 90c12c7-90c12e9 950->975 976 90c12b1-90c12b7 950->976 969 90c1174-90c117e 952->969 953->950 960 90c111e-90c1127 954->960 961 90c1108-90c110e 954->961 963 90c11e8-90c11ea 957->963 964 90c11e6 957->964 958->962 960->969 967 90c1110 961->967 968 90c1112-90c1114 961->968 962->926 962->927 963->958 964->958 967->960 968->960 969->923 973 90c1184 969->973 973->930 981 90c12ec-90c12f0 975->981 977 90c12b9 976->977 978 90c12bb-90c12bd 976->978 977->975 978->975 982 90c12f9-90c12fe 981->982 983 90c12f2-90c12f7 981->983 984 90c1304-90c1307 982->984 983->984 985 90c130d-90c1322 984->985 986 90c14f8-90c1500 984->986 985->981 988 90c1324 985->988 989 90c1498-90c14b9 988->989 990 90c132b-90c1350 988->990 991 90c13e0-90c1405 988->991 995 90c14bf-90c14f3 989->995 1003 90c1356-90c135a 990->1003 1004 90c1352-90c1354 990->1004 1001 90c140b-90c140f 991->1001 1002 90c1407-90c1409 991->1002 995->981 1007 90c1430-90c1453 1001->1007 1008 90c1411-90c142e 1001->1008 1006 90c146d-90c1493 1002->1006 1010 90c135c-90c1379 1003->1010 1011 90c137b-90c139e 1003->1011 1009 90c13b8-90c13db 1004->1009 1006->981 1025 90c146b 1007->1025 1026 90c1455-90c145b 1007->1026 1008->1006 1009->981 1010->1009 1027 90c13b6 1011->1027 1028 90c13a0-90c13a6 1011->1028 1025->1006 1029 90c145d 1026->1029 1030 90c145f-90c1461 1026->1030 1027->1009 1031 90c13a8 1028->1031 1032 90c13aa-90c13ac 1028->1032 1029->1025 1030->1025 1031->1027 1032->1027
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199538564.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90c0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: hMu$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                                                                      • API String ID: 0-1636402579
                                                                                                                      • Opcode ID: 9bae57d361d4ea14eae1185b812bd8398d5a3ed1211298836be938affe3b19d7
                                                                                                                      • Instruction ID: 92319714ff1bd7790a3e35d91ec4e9ecb87e5ca32c79f80b3322587d81cbb6d0
                                                                                                                      • Opcode Fuzzy Hash: 9bae57d361d4ea14eae1185b812bd8398d5a3ed1211298836be938affe3b19d7
                                                                                                                      • Instruction Fuzzy Hash: 6732D170704245DFDB558B68C954A7EBBFABF89700F14886AE906CB3A2CB74DC42CB51
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090C1582 Relevance: 7.8, Strings: 6, Instructions: 333COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1033 90c1582-90c1584 1034 90c158e 1033->1034 1035 90c1598-90c15af 1034->1035 1036 90c15b5-90c15b7 1035->1036 1037 90c15cf-90c15f1 1036->1037 1038 90c15b9-90c15bf 1036->1038 1043 90c1638-90c163f 1037->1043 1039 90c15c1 1038->1039 1040 90c15c3-90c15c5 1038->1040 1039->1037 1040->1037 1044 90c1645-90c1747 1043->1044 1045 90c1571-90c1580 1043->1045 1045->1033 1048 90c15f3-90c15f7 1045->1048 1049 90c15f9-90c1604 1048->1049 1050 90c1606 1048->1050 1052 90c160b-90c160e 1049->1052 1050->1052 1052->1044 1054 90c1610-90c1614 1052->1054 1056 90c1616-90c1621 1054->1056 1057 90c1623 1054->1057 1058 90c1625-90c1627 1056->1058 1057->1058 1060 90c162d-90c1637 1058->1060 1061 90c174a-90c17a7 1058->1061 1060->1043 1068 90c17bf-90c17e1 1061->1068 1069 90c17a9-90c17af 1061->1069 1074 90c17e4-90c17e8 1068->1074 1070 90c17b1 1069->1070 1071 90c17b3-90c17b5 1069->1071 1070->1068 1071->1068 1075 90c17ea-90c17ef 1074->1075 1076 90c17f1-90c17f6 1074->1076 1077 90c17fc-90c17ff 1075->1077 1076->1077 1078 90c1abf-90c1ac7 1077->1078 1079 90c1805-90c181a 1077->1079 1079->1074 1081 90c181c 1079->1081 1082 90c18d8-90c198b 1081->1082 1083 90c1a07-90c1a2c 1081->1083 1084 90c1990-90c19bd 1081->1084 1085 90c1823-90c18d3 1081->1085 1082->1074 1100 90c1a2e-90c1a30 1083->1100 1101 90c1a32-90c1a36 1083->1101 1108 90c1b36-90c1b71 1084->1108 1109 90c19c3-90c19cd 1084->1109 1085->1074 1107 90c1a94-90c1aba 1100->1107 1103 90c1a38-90c1a55 1101->1103 1104 90c1a57-90c1a7a 1101->1104 1103->1107 1128 90c1a7c-90c1a82 1104->1128 1129 90c1a92 1104->1129 1107->1074 1110 90c1b00-90c1b2f 1109->1110 1111 90c19d3-90c1a02 1109->1111 1110->1108 1111->1074 1131 90c1a84 1128->1131 1132 90c1a86-90c1a88 1128->1132 1129->1107 1131->1129 1132->1129
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199538564.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90c0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                                                                                      • API String ID: 0-3723351465
                                                                                                                      • Opcode ID: 329e163d0da93dc5a3730e190166bc8c5dc9f55eabee1dfceb3ce7d21e898e37
                                                                                                                      • Instruction ID: aeb90ea12f78c1446592e53dfb8c1d12b97f835ce7a39c3b4c054815fe0872b1
                                                                                                                      • Opcode Fuzzy Hash: 329e163d0da93dc5a3730e190166bc8c5dc9f55eabee1dfceb3ce7d21e898e37
                                                                                                                      • Instruction Fuzzy Hash: 30C1F5707082408FDB558B68C554A2E77EAFF99704F04896EE902CB3A2DF75DC46C751
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090C1290 Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1195 90c1290-90c12af 1197 90c12c7-90c12e9 1195->1197 1198 90c12b1-90c12b7 1195->1198 1203 90c12ec-90c12f0 1197->1203 1199 90c12b9 1198->1199 1200 90c12bb-90c12bd 1198->1200 1199->1197 1200->1197 1204 90c12f9-90c12fe 1203->1204 1205 90c12f2-90c12f7 1203->1205 1206 90c1304-90c1307 1204->1206 1205->1206 1207 90c130d-90c1322 1206->1207 1208 90c14f8-90c1500 1206->1208 1207->1203 1210 90c1324 1207->1210 1211 90c1498 1210->1211 1212 90c132b-90c1350 1210->1212 1213 90c13e0-90c1405 1210->1213 1216 90c14a2-90c14b9 1211->1216 1225 90c1356-90c135a 1212->1225 1226 90c1352-90c1354 1212->1226 1223 90c140b-90c140f 1213->1223 1224 90c1407-90c1409 1213->1224 1217 90c14bf-90c14f3 1216->1217 1217->1203 1229 90c1430-90c1453 1223->1229 1230 90c1411-90c142e 1223->1230 1228 90c146d-90c1493 1224->1228 1232 90c135c-90c1379 1225->1232 1233 90c137b-90c139e 1225->1233 1231 90c13b8-90c13db 1226->1231 1228->1203 1247 90c146b 1229->1247 1248 90c1455-90c145b 1229->1248 1230->1228 1231->1203 1232->1231 1249 90c13b6 1233->1249 1250 90c13a0-90c13a6 1233->1250 1247->1228 1251 90c145d 1248->1251 1252 90c145f-90c1461 1248->1252 1249->1231 1253 90c13a8 1250->1253 1254 90c13aa-90c13ac 1250->1254 1251->1247 1252->1247 1253->1249 1254->1249
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199538564.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90c0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: hMu$$]q$$]q
                                                                                                                      • API String ID: 0-3609041769
                                                                                                                      • Opcode ID: 0f201222857d5f7a2e469cca5cbe18ea5e2cd95d8fe525332b873f13b1e88727
                                                                                                                      • Instruction ID: f43fb27b6689f5d58cc007c65b4960ca3bdb615ddca71ee7848388aaabe53816
                                                                                                                      • Opcode Fuzzy Hash: 0f201222857d5f7a2e469cca5cbe18ea5e2cd95d8fe525332b873f13b1e88727
                                                                                                                      • Instruction Fuzzy Hash: 6A41B2B4744301AFD7854BA8C854E7F76EABF98704F104829FA028B3A6CEB1DD528791
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090C34D8 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1335 90c34d8-90c34fa 1336 90c34fc-90c3502 1335->1336 1337 90c3512-90c358a 1335->1337 1338 90c3504 1336->1338 1339 90c3506-90c3508 1336->1339 1345 90c365b-90c3662 1337->1345 1346 90c3590-90c35a4 1337->1346 1338->1337 1339->1337 1348 90c35ce-90c360a 1346->1348 1349 90c35a6-90c35cc 1346->1349 1358 90c360c-90c3622 1348->1358 1359 90c3628-90c3632 1348->1359 1356 90c3638-90c3655 1349->1356 1356->1345 1356->1346 1358->1359 1359->1356
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199538564.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90c0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Tau$Tau
                                                                                                                      • API String ID: 0-1577488260
                                                                                                                      • Opcode ID: b2aca074083dff409bed71cc8a665cf4fcd4946bc9353b4ad1117ccab6989a66
                                                                                                                      • Instruction ID: 715545fbf13b3f1131a098c9516b703077967ffb8602cd68fd0caa48c4f2d121
                                                                                                                      • Opcode Fuzzy Hash: b2aca074083dff409bed71cc8a665cf4fcd4946bc9353b4ad1117ccab6989a66
                                                                                                                      • Instruction Fuzzy Hash: E4513635B102059FCB44DF69C8949AEBBF6EF88710B118469F909AB3A1EB71EC05CB50
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EC0A8 Relevance: 2.5, Strings: 2, Instructions: 42COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1416 90ec0a8-90ec144
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: X~d$X~d
                                                                                                                      • API String ID: 0-3530928264
                                                                                                                      • Opcode ID: 50350d752433c6c6563ff19ba4856e33bcd41eefdea49a73d2ac72ca326baacf
                                                                                                                      • Instruction ID: 338200248898235b922011477587cd889eaf414efa588638eee459c63e6a5bf2
                                                                                                                      • Opcode Fuzzy Hash: 50350d752433c6c6563ff19ba4856e33bcd41eefdea49a73d2ac72ca326baacf
                                                                                                                      • Instruction Fuzzy Hash: 43019E302042048FD324EFA4E05862A77E6EFC6355F508A39C44A87754CF78E80ACB92
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 04D65935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1580 4d65935-4d6593c 1581 4d65944-4d65a01 CreateActCtxA 1580->1581 1583 4d65a03-4d65a09 1581->1583 1584 4d65a0a-4d65a64 1581->1584 1583->1584 1591 4d65a66-4d65a69 1584->1591 1592 4d65a73-4d65a77 1584->1592 1591->1592 1593 4d65a88 1592->1593 1594 4d65a79-4d65a85 1592->1594 1596 4d65a89 1593->1596 1594->1593 1596->1596
                                                                                                                      APIs
                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 04D659F1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2184108013.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4d60000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Create
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2289755597-0
                                                                                                                      • Opcode ID: ca0ec9910cad67408076e451ec197badb7271a821ce5c218aaa1006fade8b4e5
                                                                                                                      • Instruction ID: 102fe9463fad80678865afc367b7b6dfcb00c476a3f71cdddc3d5b7fcf976d47
                                                                                                                      • Opcode Fuzzy Hash: ca0ec9910cad67408076e451ec197badb7271a821ce5c218aaa1006fade8b4e5
                                                                                                                      • Instruction Fuzzy Hash: 5041EDB0C00619DFDB24CFA9D894B9DBBF5BF48304F20806AD419AB254DB75698ACF91
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 04D64248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1597 4d64248-4d65a01 CreateActCtxA 1600 4d65a03-4d65a09 1597->1600 1601 4d65a0a-4d65a64 1597->1601 1600->1601 1608 4d65a66-4d65a69 1601->1608 1609 4d65a73-4d65a77 1601->1609 1608->1609 1610 4d65a88 1609->1610 1611 4d65a79-4d65a85 1609->1611 1613 4d65a89 1610->1613 1611->1610 1613->1613
                                                                                                                      APIs
                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 04D659F1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2184108013.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4d60000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Create
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2289755597-0
                                                                                                                      • Opcode ID: af6adb100ff2975386b839c5669cf552d14384a3056995f5b7c913ff71de79f0
                                                                                                                      • Instruction ID: 038833f8ec38449027038b511e3e77a3e720d247cdfe52594a6d6906cb3d3c08
                                                                                                                      • Opcode Fuzzy Hash: af6adb100ff2975386b839c5669cf552d14384a3056995f5b7c913ff71de79f0
                                                                                                                      • Instruction Fuzzy Hash: DA4110B0C00219DBDB24CFA9D894B8DBBF5FF49304F20806AD409AB250DB75698ACF91
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E5E10 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: ,aq
                                                                                                                      • API String ID: 0-3092978723
                                                                                                                      • Opcode ID: de5bd6000870f4397e15a15f73c51d15a334c72ba6487dcb2e37110510acccd6
                                                                                                                      • Instruction ID: de128780b54fbdd26e9c1ee7b3b9b8513e17bc7be46365b4f0ccfd7e501c76b9
                                                                                                                      • Opcode Fuzzy Hash: de5bd6000870f4397e15a15f73c51d15a334c72ba6487dcb2e37110510acccd6
                                                                                                                      • Instruction Fuzzy Hash: E6C17E30B052048FCB58DF78D88495ABBF6EF8931571589AAE506CB376DB35EC41CBA0
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 04D6C9D0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04D6D04E,?,?,?,?,?), ref: 04D6D10F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2184108013.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4d60000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DuplicateHandle
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3793708945-0
                                                                                                                      • Opcode ID: 0888b4fc0f6fe88c0dcf5e827924bb07baec08e4372eefa60dd7c78b61b41907
                                                                                                                      • Instruction ID: 034cadb72ed7760ca7c20c0be27a92f58a19ce44cb08e91c7f0a236a6f68b2aa
                                                                                                                      • Opcode Fuzzy Hash: 0888b4fc0f6fe88c0dcf5e827924bb07baec08e4372eefa60dd7c78b61b41907
                                                                                                                      • Instruction Fuzzy Hash: F221F8B59002089FDB10CF9AD984AEEFFF5FB48310F14801AE919A3310D379A954CFA5
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 04D6D080 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04D6D04E,?,?,?,?,?), ref: 04D6D10F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2184108013.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4d60000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DuplicateHandle
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3793708945-0
                                                                                                                      • Opcode ID: 150836d5f5d6ab4db6dab0fb8ad1b72dd24832ccb15a498533ac2aedc9020ece
                                                                                                                      • Instruction ID: e5813bb545a42522a3446144dfa925565b36725e39ec3b6a5283d9d8a3c63cf5
                                                                                                                      • Opcode Fuzzy Hash: 150836d5f5d6ab4db6dab0fb8ad1b72dd24832ccb15a498533ac2aedc9020ece
                                                                                                                      • Instruction Fuzzy Hash: 3721E4B5D002489FDB10CF9AD985ADEFBF5FB48310F14841AE918A7310D379A954CFA1
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E5E00 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: ,aq
                                                                                                                      • API String ID: 0-3092978723
                                                                                                                      • Opcode ID: dd9ac94dfed30ced620dda453dfbb0f032fa37edce5ac3f050b393e5c2caf249
                                                                                                                      • Instruction ID: d9f281e7a68fdbf3afc03672f34cfc3a0e1c74e7cb03d3910c749d70a382a8e3
                                                                                                                      • Opcode Fuzzy Hash: dd9ac94dfed30ced620dda453dfbb0f032fa37edce5ac3f050b393e5c2caf249
                                                                                                                      • Instruction Fuzzy Hash: 174127307042008FC7189B78D95892A3BE7AFC93597258DA8F106CB3B9DA35DC02C7A0
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E84C8 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 4']q
                                                                                                                      • API String ID: 0-1259897404
                                                                                                                      • Opcode ID: 434f9f8f173b0ca4ebc1ec57ad491f3657835d02f090468c3cba4b712d19ed7c
                                                                                                                      • Instruction ID: 812feafcf530b7db26c0508537dd402a8ca1de0554b676bb4aa799bc48aa7631
                                                                                                                      • Opcode Fuzzy Hash: 434f9f8f173b0ca4ebc1ec57ad491f3657835d02f090468c3cba4b712d19ed7c
                                                                                                                      • Instruction Fuzzy Hash: 5C31B1317002048FDB09EBB894A45AFB7E7AFC8210B54893DD51ACB391EE35DD0687E2
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EBC70 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: o
                                                                                                                      • API String ID: 0-303508669
                                                                                                                      • Opcode ID: 760bb039d55fc57e9dd0f621645b39edd759bedf0ccaa4cac52a2c2d1f742fcf
                                                                                                                      • Instruction ID: cdd1d40dd3b299e9ac05dffc0f241ecd1b46f20f6e26e7f1ff84af2e2fd01ee1
                                                                                                                      • Opcode Fuzzy Hash: 760bb039d55fc57e9dd0f621645b39edd759bedf0ccaa4cac52a2c2d1f742fcf
                                                                                                                      • Instruction Fuzzy Hash: 8501B1313102054B8749EF78E96492E7BABEFC1294B545828D5068B625DE74BC0E8792
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E3EB7 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 4']q
                                                                                                                      • API String ID: 0-1259897404
                                                                                                                      • Opcode ID: 4bcbe2e0235bac88e0c38f5280765c70f4fd364b5c47c8fa99dd173fa38fef1a
                                                                                                                      • Instruction ID: 0a1d6b0b622e738c5d16a2a24373125264030d8d613dad985691ab5af43dfa7b
                                                                                                                      • Opcode Fuzzy Hash: 4bcbe2e0235bac88e0c38f5280765c70f4fd364b5c47c8fa99dd173fa38fef1a
                                                                                                                      • Instruction Fuzzy Hash: 5401F9313402018FC30AEB68E8509AE77EFEFCA6503544869D446CB765DF74EC0AC3A1
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E3EC8 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 4']q
                                                                                                                      • API String ID: 0-1259897404
                                                                                                                      • Opcode ID: 17a88cfec416991bf498d16d406bc8331a2633b47b931704e094f810f5877f8b
                                                                                                                      • Instruction ID: 234708929b2f26e02e6354728b4d702c65589512a0b438a923e1b49ca995924a
                                                                                                                      • Opcode Fuzzy Hash: 17a88cfec416991bf498d16d406bc8331a2633b47b931704e094f810f5877f8b
                                                                                                                      • Instruction Fuzzy Hash: 50F090313402058FC619EB68E8509AE73EFEFC96507508928D44ACB724EF74EC0A87E1
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EB368 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 4']q
                                                                                                                      • API String ID: 0-1259897404
                                                                                                                      • Opcode ID: f9b61de72409a8946d9e18935296133e65060eae1320a538095d300feb3fdaea
                                                                                                                      • Instruction ID: c6e18865d6fe8b0662ac1f7ede973c509fd575bfc2e8fffce54862c5ad89a102
                                                                                                                      • Opcode Fuzzy Hash: f9b61de72409a8946d9e18935296133e65060eae1320a538095d300feb3fdaea
                                                                                                                      • Instruction Fuzzy Hash: 5CF0AF70A0124DEFCB04EFB8E95485CBBB6FF45240B1051A8C80593320DF306E08CB52
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 00531B8C Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • VirtualAlloc.KERNEL32(?,?,?,?), ref: 00531BB7
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2166258335.0000000000524000.00000040.00000001.01000000.00000003.sdmp, Offset: 003DA000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2166258335.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2166258335.00000000005B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2166258335.00000000011CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_3da000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4275171209-0
                                                                                                                      • Opcode ID: 86efccca69f8d3716a636c93f057e552c90d9e868bf000ba385b5c24e4c4ce1a
                                                                                                                      • Instruction ID: 362a83d037b06a6f6ad2fed28e0f36bd550f5d1aa62c22d196278871e04b99b1
                                                                                                                      • Opcode Fuzzy Hash: 86efccca69f8d3716a636c93f057e552c90d9e868bf000ba385b5c24e4c4ce1a
                                                                                                                      • Instruction Fuzzy Hash: 19E0E2B6B00208ABDB50CEACD8A4BAB779DFB98310F108411FA09D7208D235ED109769
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090ECC38 Relevance: 1.3, Strings: 1, Instructions: 21COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 6o
                                                                                                                      • API String ID: 0-2415941528
                                                                                                                      • Opcode ID: 601f22b022083412d42f70fef60e91ad8e29096331b507ace9960c1464585dde
                                                                                                                      • Instruction ID: fe99f16ae54dcbf65b65d786e434978fbe311b2e914a5f2f2338e27b0551c1d2
                                                                                                                      • Opcode Fuzzy Hash: 601f22b022083412d42f70fef60e91ad8e29096331b507ace9960c1464585dde
                                                                                                                      • Instruction Fuzzy Hash: 3BE0DF312446948FC70ADF28B8608DC7BA2EF922A4321455AC745E7361C6705C49C791
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090C00D8 Relevance: .7, Instructions: 676COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199538564.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90c0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 25cc49e06f4f2a31191d01f1832ba43b6b1056fb5250e2981f16dc4888424778
                                                                                                                      • Instruction ID: 34eb8f11b25f6a278e2c7a89ee7b2f58a204a673d0ae56dd0bf63c0a3db8df62
                                                                                                                      • Opcode Fuzzy Hash: 25cc49e06f4f2a31191d01f1832ba43b6b1056fb5250e2981f16dc4888424778
                                                                                                                      • Instruction Fuzzy Hash: BE4279703406198FCB259F68D550A6EBAF6FFC6714B014A5CD9039B3A1CF79ED098B82
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E48B8 Relevance: .6, Instructions: 595COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 1b5796642f03fa0e49de19477f336b508ba895f418c5fd74f73f96dc404e3a22
                                                                                                                      • Instruction ID: 08c4c851311833b08d155e17deff2e4bad035d73d55cb9ec05a02634f91d87ca
                                                                                                                      • Opcode Fuzzy Hash: 1b5796642f03fa0e49de19477f336b508ba895f418c5fd74f73f96dc404e3a22
                                                                                                                      • Instruction Fuzzy Hash: 0A3246747006058FCB54DF29D888A6ABBF6FF89310B2588A9E506CB772DB74EC45CB50
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090C0598 Relevance: .5, Instructions: 462COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199538564.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90c0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 909a0a8051acf2c6d35896d3cb8deb03f5d23f126a2df29e70092c45191a45c8
                                                                                                                      • Instruction ID: fcbac76cf2f135c975f8159ee71bf1d2432c402e7e2a52c3440ceaea73a4f1a6
                                                                                                                      • Opcode Fuzzy Hash: 909a0a8051acf2c6d35896d3cb8deb03f5d23f126a2df29e70092c45191a45c8
                                                                                                                      • Instruction Fuzzy Hash: BE02AE707402148FDB259F64C554A6EB7FAFF89704F04895DEA029B3A2CB79ED05CB82
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090C0688 Relevance: .4, Instructions: 389COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199538564.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90c0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 68c15f8cf15ac5c1313764d3a32fc8ce82155e251991c92a2dc127131a667ed5
                                                                                                                      • Instruction ID: 1ed9a83f59da281ce24df53dd74f122ae4afc7a17d8fc88eb782cab70cba367f
                                                                                                                      • Opcode Fuzzy Hash: 68c15f8cf15ac5c1313764d3a32fc8ce82155e251991c92a2dc127131a667ed5
                                                                                                                      • Instruction Fuzzy Hash: D6E1B4B0740204DFDB158F64C955A6E77FAFF89700F048959EA029B3A2CB79ED05CB91
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090C0700 Relevance: .4, Instructions: 366COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199538564.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90c0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: ca2fc0444d717a77d6207312092d49fda56f5527021ad7bade56c2a16616f8ed
                                                                                                                      • Instruction ID: 26215b963e977200b22dff6d220febaccc3b55f772b3fa9da2f65c47fa493187
                                                                                                                      • Opcode Fuzzy Hash: ca2fc0444d717a77d6207312092d49fda56f5527021ad7bade56c2a16616f8ed
                                                                                                                      • Instruction Fuzzy Hash: B9D190B0740204DFDB148B64C995B6D77FAFF89700F048959EA029B3A2CB79DD05CB92
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090C00B9 Relevance: .3, Instructions: 338COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199538564.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90c0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 1f41df03b43967f1d7f9a07296fc629007aca4d7cdefb33362163143b17acda8
                                                                                                                      • Instruction ID: 86ccfb9d83da4286f707160d29220244e6bb15e1c1830892ba2b8a262b932127
                                                                                                                      • Opcode Fuzzy Hash: 1f41df03b43967f1d7f9a07296fc629007aca4d7cdefb33362163143b17acda8
                                                                                                                      • Instruction Fuzzy Hash: C5C18EB0700204DFDB548B64C959B6D77FAFF89700F04856AEA029B3A2CB75DD41CB92
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090C0610 Relevance: .3, Instructions: 317COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199538564.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90c0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 39b728cf87f62dde659909e35a0ed5c241ce248e029911512346b0424863e13f
                                                                                                                      • Instruction ID: 5ba1d5cc1f19ef23b99f3c46e97b1ff9ff68bae0911c0dfdc95b3d68fd60e039
                                                                                                                      • Opcode Fuzzy Hash: 39b728cf87f62dde659909e35a0ed5c241ce248e029911512346b0424863e13f
                                                                                                                      • Instruction Fuzzy Hash: 9DC17FB0740204DFDF148B64C999B6D77FAFB89700F048559EA029B3A2CBB9DD45CB92
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090C0666 Relevance: .3, Instructions: 308COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199538564.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90c0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 7e46c979f84f94b37b73a954fc6e417db57b1976cbfadfec3da60aaf1ce380f9
                                                                                                                      • Instruction ID: d7a3741ac5a6f3357c1917682b53f41cf56110263b22accaf0981bb983134f60
                                                                                                                      • Opcode Fuzzy Hash: 7e46c979f84f94b37b73a954fc6e417db57b1976cbfadfec3da60aaf1ce380f9
                                                                                                                      • Instruction Fuzzy Hash: 0BB1A1B0740204DFDF548B64C999B6D77FAFB89700F008559EA028B3A2CBB5DD45CB92
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E48A8 Relevance: .3, Instructions: 283COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b876485e15b806e95115ee828642a8a61f191f607f4e8603ef2c8f63dd481cf2
                                                                                                                      • Instruction ID: 5794a617e8ce18ce9fe5e4a82d4f9a8b039cc29752ac24b7d3a00fcb131dc3e8
                                                                                                                      • Opcode Fuzzy Hash: b876485e15b806e95115ee828642a8a61f191f607f4e8603ef2c8f63dd481cf2
                                                                                                                      • Instruction Fuzzy Hash: D6B126347006448FCB54DF29D998A6ABBF6FF89300B2584A9E546DB372DB74EC05CB60
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E7D58 Relevance: .1, Instructions: 147COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 455ab7c2be7d1ea7969313dec4eba44a6abf3aefc105eb8d4c9e4598413080ab
                                                                                                                      • Instruction ID: dd6768146fc9a7df8d94b218580c756849e18090d26a0d49e908b04b79a6156b
                                                                                                                      • Opcode Fuzzy Hash: 455ab7c2be7d1ea7969313dec4eba44a6abf3aefc105eb8d4c9e4598413080ab
                                                                                                                      • Instruction Fuzzy Hash: 49511471E00258DFDB14CFA9C884B9EBBF5EF88310F14892AE419AB354DB749946CF90
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E7D4C Relevance: .1, Instructions: 130COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e94deefebeccb1349cbd873ccd37327678bd9e2586c5e8801d17350220d88143
                                                                                                                      • Instruction ID: eda75a851f955f85c63b07abd28e4779260f2d4c1615d9654438feee1e923581
                                                                                                                      • Opcode Fuzzy Hash: e94deefebeccb1349cbd873ccd37327678bd9e2586c5e8801d17350220d88143
                                                                                                                      • Instruction Fuzzy Hash: D95135B0E00258DFDB14CFA9C885BDEBBF5EF48304F14892AE409AB290DB749845CF90
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E5579 Relevance: .1, Instructions: 105COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c69449b8d709b0df03ad3f9effa0786e7b864106c25054a3735df1d6b6cc893f
                                                                                                                      • Instruction ID: 76772918e02dc51a5cca12edca8b4dce39560764fa5d79ea1d603e2a3dc16b18
                                                                                                                      • Opcode Fuzzy Hash: c69449b8d709b0df03ad3f9effa0786e7b864106c25054a3735df1d6b6cc893f
                                                                                                                      • Instruction Fuzzy Hash: F7419A357002509FCB55DF38D89496ABBB6FF8A310B1084A9E906CB366CB75ED06CB90
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E5588 Relevance: .1, Instructions: 96COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f34a4ab7d5c87e0ea04af683b773444b23ee21d48b9faa31756d39e44a4ea637
                                                                                                                      • Instruction ID: 34cbc3be38a3352af1a59c7820283cfd1acdd25f3c79779b8200b05afc2a194a
                                                                                                                      • Opcode Fuzzy Hash: f34a4ab7d5c87e0ea04af683b773444b23ee21d48b9faa31756d39e44a4ea637
                                                                                                                      • Instruction Fuzzy Hash: AE315A357002109FCB59DF38D88496EBBB6FF89710B108468E906CB366DB75ED45CB90
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E87A0 Relevance: .1, Instructions: 93COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 705751871ef65ded9594b71e41c4670682a683eccf7c32da309d1e2768ac4687
                                                                                                                      • Instruction ID: f39668231aa215872618b7ecbe3a9393c617433116bf3e079027f3b2f9e4ff76
                                                                                                                      • Opcode Fuzzy Hash: 705751871ef65ded9594b71e41c4670682a683eccf7c32da309d1e2768ac4687
                                                                                                                      • Instruction Fuzzy Hash: 4141E3B2D0124CDFDB14DF99D544ADEFBB5AF88310F10842AE819A7254DB356945CF90
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E8A98 Relevance: .1, Instructions: 77COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f60cd00d39299f1de26cd4ff3dfb7a924fc693f80494e836a52f5f17b2bb0f05
                                                                                                                      • Instruction ID: 8d7da48da28074ff89e5ea53f93896dc43f0c99b145d46085cd0f2c4ad6abd90
                                                                                                                      • Opcode Fuzzy Hash: f60cd00d39299f1de26cd4ff3dfb7a924fc693f80494e836a52f5f17b2bb0f05
                                                                                                                      • Instruction Fuzzy Hash: 243126B5D01218DFDB14CFA9D894ADEFBFAEF48310F24842AE809B7240D775A945CB90
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 0425D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2177949502.000000000425D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0425D000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_425d000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: af844363e5966a95e4466dcedce6a1f3d02397a7f5dce972d5297d91cdf783af
                                                                                                                      • Instruction ID: 2b876114c0ed75035ce5299774f8637ce907609fbdcf78cb6ee14d65781174d7
                                                                                                                      • Opcode Fuzzy Hash: af844363e5966a95e4466dcedce6a1f3d02397a7f5dce972d5297d91cdf783af
                                                                                                                      • Instruction Fuzzy Hash: 6321F175620205DFDB05DF14D9C0B26BF65FB98324F20C569DD090B226C37AF456DBA2
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 0427D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2178136763.000000000427D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0427D000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_427d000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 76345b1fa3725db36e402a6b9533f750cb825b3e426807841d59b4e1f8e5eac0
                                                                                                                      • Instruction ID: d82c133e8d184503cf715b6b52d53bf255d28cdd1d79cf5bb47e33adf25813ae
                                                                                                                      • Opcode Fuzzy Hash: 76345b1fa3725db36e402a6b9533f750cb825b3e426807841d59b4e1f8e5eac0
                                                                                                                      • Instruction Fuzzy Hash: BA21F275724204DFCB14DF24E984B26BF65EF84314F24C56DD9094B256D37AE407CB61
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EC7E8 Relevance: .1, Instructions: 72COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 306943fffeaa15b75d3aa45aed37218617ebb00d329fb2fa174000f279c9dbcb
                                                                                                                      • Instruction ID: 6112576e142ee1f2300ef9c74d0782ff6e7bf9ababe8f40fef0902a66a56bdd9
                                                                                                                      • Opcode Fuzzy Hash: 306943fffeaa15b75d3aa45aed37218617ebb00d329fb2fa174000f279c9dbcb
                                                                                                                      • Instruction Fuzzy Hash: A531D435A0410AEFCB02DFA4EA68EA9BFB7FB49340F044414E74166664CB326D59DF62
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E8A8C Relevance: .1, Instructions: 68COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f57df199020274862557ff30cae853b4c0d15e941cbb1722a7f2669b6eb9543e
                                                                                                                      • Instruction ID: 1ad2a86dee4848650901d5c17cbbe7c2311cb2377d8a08c7d3166615bc7385ac
                                                                                                                      • Opcode Fuzzy Hash: f57df199020274862557ff30cae853b4c0d15e941cbb1722a7f2669b6eb9543e
                                                                                                                      • Instruction Fuzzy Hash: DE2127B0D01248DFDB14CFA9C895BDEBFF9EF49310F24842AE405A7250D775A846CBA0
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 0427D006 Relevance: .1, Instructions: 62COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2178136763.000000000427D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0427D000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_427d000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5fa81288039a329bbca4fa95cc90c6cb59d1ef4bc6e0b93aff2904ea8cc21886
                                                                                                                      • Instruction ID: d865028449ed294bdac783757b1e0e213e27dac45402137ca933d12f7a8c7a97
                                                                                                                      • Opcode Fuzzy Hash: 5fa81288039a329bbca4fa95cc90c6cb59d1ef4bc6e0b93aff2904ea8cc21886
                                                                                                                      • Instruction Fuzzy Hash: E3216D755193808FDB12CF24D994B15BF71EF46314F28C5EAD8498B6A7C33AD80ACB62
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E63D0 Relevance: .1, Instructions: 57COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: d7ee096155b2082989b8f9c5b02cb3ccaa0c1092ba3619904b4ab6b79747f605
                                                                                                                      • Instruction ID: 2aef40fd67af36adf9cedbdcd2afaac4c79c48fb1b9df4e4298035fbfe22fda8
                                                                                                                      • Opcode Fuzzy Hash: d7ee096155b2082989b8f9c5b02cb3ccaa0c1092ba3619904b4ab6b79747f605
                                                                                                                      • Instruction Fuzzy Hash: 7C11A0712142008FD7218A6CE845F567BE9EF95320F00C566F655CB6A2D7A1E806C751
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 0425D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2177949502.000000000425D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0425D000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_425d000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 034303c03c5a8322a33a378d0f9b17cc46fc402f4edf610f4cd85308e9016042
                                                                                                                      • Instruction ID: 902563c067b649e0dd4981fa7b096eaf7609b2b9556f000c770b2dea143508dd
                                                                                                                      • Opcode Fuzzy Hash: 034303c03c5a8322a33a378d0f9b17cc46fc402f4edf610f4cd85308e9016042
                                                                                                                      • Instruction Fuzzy Hash: 14110076514280CFDB06CF00D9C4B16BF72FB84324F24C6A9DD490B226C33AE45ACBA2
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E6E72 Relevance: .1, Instructions: 53COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4fc7a389776ece6d4cf44ec2865fcc19e4a265f0fcaf74833d1f42f7c8c728e9
                                                                                                                      • Instruction ID: b1fb97d1f301b130fd12774620e92ec404ced727a30381609123bc715110961f
                                                                                                                      • Opcode Fuzzy Hash: 4fc7a389776ece6d4cf44ec2865fcc19e4a265f0fcaf74833d1f42f7c8c728e9
                                                                                                                      • Instruction Fuzzy Hash: F011802210D2D56FC7138BB94C258B77FF89E8B111B0841DAFDD4CA163C169C825D7B1
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E8350 Relevance: .0, Instructions: 50COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 71a10e4de116ed4364a257b6fb4728c97eb4031076e49d55f79e8d63614e549b
                                                                                                                      • Instruction ID: 46490d0f73d8a22a24ab2eeeb962356e61be7e65575cd00d0d2fc8ce66014c99
                                                                                                                      • Opcode Fuzzy Hash: 71a10e4de116ed4364a257b6fb4728c97eb4031076e49d55f79e8d63614e549b
                                                                                                                      • Instruction Fuzzy Hash: 8B017171B001199FDF14DEA9AC44AAFB7ADEBC8251B148436E914D3240DB70A91587E1
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 0425DA25 Relevance: .0, Instructions: 45COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2177949502.000000000425D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0425D000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_425d000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 73b6244a7158a8619195049907bf41995f05075a79ca7d0dab20576803feec38
                                                                                                                      • Instruction ID: 1b1e2fdd2161fad778551579eb23a76e9e7377a7cce9c2cfb516064fd688c2cc
                                                                                                                      • Opcode Fuzzy Hash: 73b6244a7158a8619195049907bf41995f05075a79ca7d0dab20576803feec38
                                                                                                                      • Instruction Fuzzy Hash: 67012B3123C3449ED7108F19CD84B67BF9CDFC1320F18C46AED088B256C278A800CAB1
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EE8B0 Relevance: .0, Instructions: 42COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 63973162d6292949097732e3807d6d313e9248bddd398a5eb921c152d162a2f5
                                                                                                                      • Instruction ID: d409bb10f4217822d19e7e85108639e44313b12da77aa3dd8a952cf094877e20
                                                                                                                      • Opcode Fuzzy Hash: 63973162d6292949097732e3807d6d313e9248bddd398a5eb921c152d162a2f5
                                                                                                                      • Instruction Fuzzy Hash: 4301F9346083489FCB06DF74D8248A97FBAFF46300B1489E9E805CB662DB36CC16DB91
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E5508 Relevance: .0, Instructions: 42COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: ac199db22f2d386458433d11f563e797cda074d10d8f8de756a6fe7895218d8c
                                                                                                                      • Instruction ID: e9baaec726b61a3b969903d735cdbd09f23551dab13268a7b8803f1ffb2c5a59
                                                                                                                      • Opcode Fuzzy Hash: ac199db22f2d386458433d11f563e797cda074d10d8f8de756a6fe7895218d8c
                                                                                                                      • Instruction Fuzzy Hash: CA016D36601711CFCB699A39AD14627B7F7AF84349B148C2DF407C7618DAB9E480CB90
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E8F42 Relevance: .0, Instructions: 41COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a7fcd82a635b94afd4f7c5c11f99ae4b7d46f086515c8d5cfaaaabde73c58f71
                                                                                                                      • Instruction ID: 6c6b42f886add9f2dc4b80f5ef6299493ac022a358160ae31313d44db9bf666b
                                                                                                                      • Opcode Fuzzy Hash: a7fcd82a635b94afd4f7c5c11f99ae4b7d46f086515c8d5cfaaaabde73c58f71
                                                                                                                      • Instruction Fuzzy Hash: EC0113B4C09299DFCB01CFA8D5046AEBFF1EB0A301F2085AAD855A3252D3350A01CB50
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E5DC2 Relevance: .0, Instructions: 39COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 9aaf0e3ecf639216f95e5d0ac901eded5e5b761d2e26a5f1c6e8dc1ff78974ef
                                                                                                                      • Instruction ID: d26b86169cf4c2069eb685654cbc2e705983f2c33d0b5f4ee59afa7d318eb4a4
                                                                                                                      • Opcode Fuzzy Hash: 9aaf0e3ecf639216f95e5d0ac901eded5e5b761d2e26a5f1c6e8dc1ff78974ef
                                                                                                                      • Instruction Fuzzy Hash: E0F096357086818FCB259B79EC544A67FE5DF8A2293148CEAF54ACB232EA21D805C750
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E8F50 Relevance: .0, Instructions: 37COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 7f8de9f23fc20e9edc644f44992ed28bc5e7ed35a57e41eca4b7a7fd07295710
                                                                                                                      • Instruction ID: 93413d057eefd2e530791673a70c7a80d70b2c618237d93309133140c9aef34b
                                                                                                                      • Opcode Fuzzy Hash: 7f8de9f23fc20e9edc644f44992ed28bc5e7ed35a57e41eca4b7a7fd07295710
                                                                                                                      • Instruction Fuzzy Hash: 1D01D2B4D04219EFCB44DFA9D9456AEBBF1BB48301F1085AAD819B3351E7384A41CF90
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E63C0 Relevance: .0, Instructions: 36COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 55888ae968c5fb2671d773cba9acd95215fc30149462591a5d4b12e5502c781b
                                                                                                                      • Instruction ID: b13896aa207c1b0bb6bae86ebe12ed0090b0795618583334f307e633efef6dd1
                                                                                                                      • Opcode Fuzzy Hash: 55888ae968c5fb2671d773cba9acd95215fc30149462591a5d4b12e5502c781b
                                                                                                                      • Instruction Fuzzy Hash: 61F0F6313443449FDB218B28AC11F527FE5DF46720F1481A6F654CF1F2D2A1E845C340
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 0425DA24 Relevance: .0, Instructions: 36COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2177949502.000000000425D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0425D000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_425d000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a8848f16a7fdeb29dc7b7f1e2dc552dcc2646dbc4492b2c7224be026d4830577
                                                                                                                      • Instruction ID: 8f73f84833e9fb5f1bc5363a355540432fbbbc8d3a1d46aff6b9533881fe56e7
                                                                                                                      • Opcode Fuzzy Hash: a8848f16a7fdeb29dc7b7f1e2dc552dcc2646dbc4492b2c7224be026d4830577
                                                                                                                      • Instruction Fuzzy Hash: 7BF096715183449EE7108F1ACC84B67FF98EF81734F28C45AED484F296C279A844CBB1
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E6EA0 Relevance: .0, Instructions: 35COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 95128ae2791678b0f7afbba40ff471fea9f97092607ac7f898bc89d97f85bd93
                                                                                                                      • Instruction ID: 4e028e3c1ce86a77e6e3f5029bff1fe95aab25b81c020acb280abbc48993b800
                                                                                                                      • Opcode Fuzzy Hash: 95128ae2791678b0f7afbba40ff471fea9f97092607ac7f898bc89d97f85bd93
                                                                                                                      • Instruction Fuzzy Hash: 81F012722041E87F8B558E9A5C10CFB7FEDDA8E5627084056FE98D2141C46DC9219BB0
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E8341 Relevance: .0, Instructions: 35COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 320df27c86dc25637d7b42409720c7f8eee5a9bbb858d0a1a19dbf1b4b681974
                                                                                                                      • Instruction ID: 90f5eb28f77a9c7b7c20e19bb8d3731d599b95c5a787c768a332ce640ba1af3e
                                                                                                                      • Opcode Fuzzy Hash: 320df27c86dc25637d7b42409720c7f8eee5a9bbb858d0a1a19dbf1b4b681974
                                                                                                                      • Instruction Fuzzy Hash: B5F02772B001585FDB518A79AC495FFBBFDEB98261B084427E954C3141EB30840983E2
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EACB8 Relevance: .0, Instructions: 34COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: dbe66f6f13613fcb0d007ac3782c32b599cd3a732746b6719a896374e99263e4
                                                                                                                      • Instruction ID: eda8035c3a805ecd8807b6ab89652713207b7922a28f9317d75692326df3ec80
                                                                                                                      • Opcode Fuzzy Hash: dbe66f6f13613fcb0d007ac3782c32b599cd3a732746b6719a896374e99263e4
                                                                                                                      • Instruction Fuzzy Hash: EDF0E9757491945FC7175BB86C244BD3F68DEDA78130444EFD446CB261CA144506C792
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E8FC0 Relevance: .0, Instructions: 33COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 76061eb5669fe9038b50f2d1b3a245823b26de1d1447b458b59bdfe641b4bb96
                                                                                                                      • Instruction ID: 3c535fbda3b8e1492afde2d150469bf081987a883a99eab8b90732423a07a0c3
                                                                                                                      • Opcode Fuzzy Hash: 76061eb5669fe9038b50f2d1b3a245823b26de1d1447b458b59bdfe641b4bb96
                                                                                                                      • Instruction Fuzzy Hash: 89F062B5C09259DFCB00CFA4C4555ADBFB0EF5A341F0086D6D855E7361E6394A01CB00
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EADF8 Relevance: .0, Instructions: 28COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 47bc6d188824a2b43cc31b7dc5356aeaa227f3ddcde18792c9f099959253e8ec
                                                                                                                      • Instruction ID: 8cd1087f75854522e2070ba48779be0ced737399f2c297969db569678505f501
                                                                                                                      • Opcode Fuzzy Hash: 47bc6d188824a2b43cc31b7dc5356aeaa227f3ddcde18792c9f099959253e8ec
                                                                                                                      • Instruction Fuzzy Hash: 61E092313452046FD3146FDAB848A9FBADDEBCA795F00502CE50EC3242CA76680987A2
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EBD80 Relevance: .0, Instructions: 27COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 09ba3cbcbf8f5ded276522dddc6af8fbdb0cb9cfe2ef2e6b84b4b9d10fdf96bb
                                                                                                                      • Instruction ID: 0b5f6f59814e3dbcd5d906cd9a37fb3d1bf5cc256adf4885c87a0cc9cd9fcf4c
                                                                                                                      • Opcode Fuzzy Hash: 09ba3cbcbf8f5ded276522dddc6af8fbdb0cb9cfe2ef2e6b84b4b9d10fdf96bb
                                                                                                                      • Instruction Fuzzy Hash: 10F09434505B41CFD725DF66E558562BBF2FB88300B00862EE88B82A10DF70A44ACF85
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E5698 Relevance: .0, Instructions: 26COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 1946253962300e4f527c6d2628f1b4fe08615e017139fefd94d095748ca0c933
                                                                                                                      • Instruction ID: da6608897084204b3bff6a1b73af2cf1f746d469a2a5883e8829a81ce5d52275
                                                                                                                      • Opcode Fuzzy Hash: 1946253962300e4f527c6d2628f1b4fe08615e017139fefd94d095748ca0c933
                                                                                                                      • Instruction Fuzzy Hash: 5AE092B210D340AFD741EB34AC05997BBF8EF96220B15CCAEF484CB142E635D882C761
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EBD20 Relevance: .0, Instructions: 25COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f1423f01d4a746e3e40e11bbf7a517f4e269c649d5a84fe545613b8dc5f251e6
                                                                                                                      • Instruction ID: 2ac2da934a446c8de50aa8cb55621aff3bf5858f327fb8efcf3d3b526e72902b
                                                                                                                      • Opcode Fuzzy Hash: f1423f01d4a746e3e40e11bbf7a517f4e269c649d5a84fe545613b8dc5f251e6
                                                                                                                      • Instruction Fuzzy Hash: F6E0E5302047918FC311EB2DE51879F7BEADF86348F04042DE14687650CBB5A80587D2
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090ECE88 Relevance: .0, Instructions: 24COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 259ccee51fe5afcd2c5750765d2c665b1c4a0c5a9e9a88eabe903959110fe8b1
                                                                                                                      • Instruction ID: a6a158caa03088c774e6f7f95599bcf0260ebfda4278fd55bec2586032f69236
                                                                                                                      • Opcode Fuzzy Hash: 259ccee51fe5afcd2c5750765d2c665b1c4a0c5a9e9a88eabe903959110fe8b1
                                                                                                                      • Instruction Fuzzy Hash: 2EE0DF301487958FC70BAF38B42445C7FA2EFA2AA8721099DDF85E7260E6B09C04C796
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EAC80 Relevance: .0, Instructions: 20COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 716a067bf54a4dc695c7f91fcc55cd2ef8641ee86c5c40197d03a8f662fe916b
                                                                                                                      • Instruction ID: 7c247dc10e72ca292b98f2a97f43fc2d3178d06e7f5ab48104113f54cc1398b1
                                                                                                                      • Opcode Fuzzy Hash: 716a067bf54a4dc695c7f91fcc55cd2ef8641ee86c5c40197d03a8f662fe916b
                                                                                                                      • Instruction Fuzzy Hash: CED05B3535015867970567E9B4184AF779EDAC5761700142DE506C7340CE655D05C7D7
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EE280 Relevance: .0, Instructions: 20COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: ca5d52411160c3eb49063b07271757174df8da2c8b1ba7d921d4f03ba26d2940
                                                                                                                      • Instruction ID: 082c8882f257681a7c8881e83311f1645852623cfe6fd8c2bdfd80962ac8a580
                                                                                                                      • Opcode Fuzzy Hash: ca5d52411160c3eb49063b07271757174df8da2c8b1ba7d921d4f03ba26d2940
                                                                                                                      • Instruction Fuzzy Hash: ABE0D8315043584FCB16EF38B8554CC7BA2BF45758701454DDF44AB2B2DB609918C7C5
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EB510 Relevance: .0, Instructions: 19COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e5a7c3ee0483be60e0b96e97ca3ed35019b48bdc26ddcaf374ca37e31d907839
                                                                                                                      • Instruction ID: acafdb1285ef3603770ebcc7365e05fbed003a5ee1044c2bfd8307638126ab31
                                                                                                                      • Opcode Fuzzy Hash: e5a7c3ee0483be60e0b96e97ca3ed35019b48bdc26ddcaf374ca37e31d907839
                                                                                                                      • Instruction Fuzzy Hash: F2E09275D0420CEFCB40DFE5E9548DDBBB9EB48200F1082AAD809A3200EB316B55DF81
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E5DD0 Relevance: .0, Instructions: 17COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: cdb2f535f3fbabd62b141d323c8cd57fab15bf6df3d63a2babff964d7bdb640a
                                                                                                                      • Instruction ID: 65748c3972c7d7c1604fd90938c66f90e89ecb5d756909e857ac5dea17d97e8a
                                                                                                                      • Opcode Fuzzy Hash: cdb2f535f3fbabd62b141d323c8cd57fab15bf6df3d63a2babff964d7bdb640a
                                                                                                                      • Instruction Fuzzy Hash: 16D05E313407164BCA249A6AED4089777DEDF842213008969A40A8B564DFA4E801C7D4
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EE210 Relevance: .0, Instructions: 16COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b4b8c99dd93c57e74a3f17300d65e77248f57b7bfc23566e1912d06b4fb926cd
                                                                                                                      • Instruction ID: 1cbfb5f157d2faa7079625e3013a78c977189ee8bc8007ace03e6520a506f812
                                                                                                                      • Opcode Fuzzy Hash: b4b8c99dd93c57e74a3f17300d65e77248f57b7bfc23566e1912d06b4fb926cd
                                                                                                                      • Instruction Fuzzy Hash: 93D05E71A0020CFFCB00EFA8E910D5DB7BEEF44258B1045A9D908E3310EA316F049B91
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EF4F0 Relevance: .0, Instructions: 13COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e5e11a1bc23cd0e906ba3b2d1f9d55163ecd907bcbc9c3afd40597bb9d51bdeb
                                                                                                                      • Instruction ID: 164b79262808df8103e5e62b57ee3912d85114154fd00bf87adeee131d87246d
                                                                                                                      • Opcode Fuzzy Hash: e5e11a1bc23cd0e906ba3b2d1f9d55163ecd907bcbc9c3afd40597bb9d51bdeb
                                                                                                                      • Instruction Fuzzy Hash: 8CC04C32718160170655655C742847E95DAC7C96A6355516BFA0BD3344CD609C4A43D5
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E3721 Relevance: .0, Instructions: 11COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: bc1e97f7209ef17767084e0ea7c731483f45f62922bc881f3bb20a5d7dbc17ec
                                                                                                                      • Instruction ID: 12806e69f99a6d31f3a67480d6fb936c93443ed2b8b9d72b4707939abdc68b8c
                                                                                                                      • Opcode Fuzzy Hash: bc1e97f7209ef17767084e0ea7c731483f45f62922bc881f3bb20a5d7dbc17ec
                                                                                                                      • Instruction Fuzzy Hash: F6C0122100D2C02FDB1303700C26AA67F719F87300B2984D6E5C2890A381A20425E72A
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EDFD1 Relevance: .0, Instructions: 7COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: bfcd5be479dc96e1ac1d9b90ef0b1888aa2d098fe1121994550f734706b5491d
                                                                                                                      • Instruction ID: 2cb1afc703b3f156af4addd2e8c410a3591e123728b0c6d61b4220416219218b
                                                                                                                      • Opcode Fuzzy Hash: bfcd5be479dc96e1ac1d9b90ef0b1888aa2d098fe1121994550f734706b5491d
                                                                                                                      • Instruction Fuzzy Hash: F5C04C719452848FEB095B1084175147A61BF4175170690DA8155CA167D7244410CA55
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Non-executed Functions

                                                                                                                      Function 014FDDD7 Relevance: 3.9, Strings: 2, Instructions: 1381COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2166258335.00000000011CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003DA000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2166258335.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2166258335.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2166258335.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2166258335.00000000005B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_3da000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: -LK6$BH|I
                                                                                                                      • API String ID: 0-2297784591
                                                                                                                      • Opcode ID: 8d479d59d66127eb3e23e45a5eba417e11e0dc3d2702b4038cb0ea0ed44e3cf7
                                                                                                                      • Instruction ID: 48bdd8ef643757b9c18516d29f94a8ff52cd5091bd073c4eaca212733b7607bf
                                                                                                                      • Opcode Fuzzy Hash: 8d479d59d66127eb3e23e45a5eba417e11e0dc3d2702b4038cb0ea0ed44e3cf7
                                                                                                                      • Instruction Fuzzy Hash: 4A92CDF2F042002BF3088A1DDC85AAB779AEBD4325F1A453DFA4DA77E1E1759D0147A2
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E6FE8 Relevance: .8, Instructions: 788COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 60e342d4f7d9d9c67a451f8824e931e4732e6bf50cd3ed3be816088f848337c6
                                                                                                                      • Instruction ID: 808046f53b5a21ebb987d6c58462a2756682cbfd61c61cb2f0a64abbc666233b
                                                                                                                      • Opcode Fuzzy Hash: 60e342d4f7d9d9c67a451f8824e931e4732e6bf50cd3ed3be816088f848337c6
                                                                                                                      • Instruction Fuzzy Hash: E2623EB07002049FD749DF19D45871ABADAEF94308F64C86CC5099F3A6CBBAD90B8BD5
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E6FF8 Relevance: .8, Instructions: 780COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 8c060e236f4a133919399730b15d815014ffaea5c41390727c644a12e34c046a
                                                                                                                      • Instruction ID: ffb45ac9219165126d77e5f12dbbf7551ecd69456c137984cd494ea824fc69e9
                                                                                                                      • Opcode Fuzzy Hash: 8c060e236f4a133919399730b15d815014ffaea5c41390727c644a12e34c046a
                                                                                                                      • Instruction Fuzzy Hash: 65623DB07002049FD749DF19D45871ABADAEF94308F64C86CC5099F3A6CBBAD90B8BD5
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090E6860 Relevance: .5, Instructions: 505COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 24ad3ad2995ee88f42f8dbfcbe437bb6cc97da5f9536b0991329d50349353190
                                                                                                                      • Instruction ID: 221b6e1722089b42266812c82267a56f8cd412b2e53c7382c7f86d520eb02cdf
                                                                                                                      • Opcode Fuzzy Hash: 24ad3ad2995ee88f42f8dbfcbe437bb6cc97da5f9536b0991329d50349353190
                                                                                                                      • Instruction Fuzzy Hash: 7F129F31A00219DFCB15CF69E840AAEBBF6FF88314F148969E805DB261DB35ED45CB90
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 04D6D9CC Relevance: .3, Instructions: 264COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2184108013.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4d60000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 35c97ce5181446efdcdb2dfca8ed391e34bc5760236d8512ad03af0976c60669
                                                                                                                      • Instruction ID: 172ea769a21cf1bfa0817e324c2b98c49b002e114314d9ba75d344a6b52d7d9b
                                                                                                                      • Opcode Fuzzy Hash: 35c97ce5181446efdcdb2dfca8ed391e34bc5760236d8512ad03af0976c60669
                                                                                                                      • Instruction Fuzzy Hash: B2A17C32F00609CFCF05DFB5D88059EBBB2FF88304B15856AE906AB265DB71E915CB90
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EE2D8 Relevance: 46.6, Strings: 37, Instructions: 383COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj
                                                                                                                      • API String ID: 0-126415374
                                                                                                                      • Opcode ID: e1a146f66b58517648eb4517d143b5088afd04ce15495cb62c93391f96041919
                                                                                                                      • Instruction ID: 18fc106a0cb7a41c1d4da5dfee756dec7fb690b2225fcf007cb458e6d58b3ee0
                                                                                                                      • Opcode Fuzzy Hash: e1a146f66b58517648eb4517d143b5088afd04ce15495cb62c93391f96041919
                                                                                                                      • Instruction Fuzzy Hash: 68D1B0303107096BD20BB6A0EE55ABDF297BB86B04B948438D6144F7B4DF75AC1D8397
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090ECC90 Relevance: 16.4, Strings: 13, Instructions: 143COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj
                                                                                                                      • API String ID: 0-297185741
                                                                                                                      • Opcode ID: 0a2c871cafd7a8df317039efcd4f5cf986b1316551c85dd3eb6f057622ce4741
                                                                                                                      • Instruction ID: d1c0a5e35393107612b83b7a41e086b49aa7a5583d5bee67ec004a8ad71afa50
                                                                                                                      • Opcode Fuzzy Hash: 0a2c871cafd7a8df317039efcd4f5cf986b1316551c85dd3eb6f057622ce4741
                                                                                                                      • Instruction Fuzzy Hash: 1041B5303107052BD207B6A4EA45B7EF69BFB86B04F548438D6084FAA5CF79AD0D8397
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090ECEE0 Relevance: 10.1, Strings: 8, Instructions: 93COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj
                                                                                                                      • API String ID: 0-454041363
                                                                                                                      • Opcode ID: e4d3169c76db8bf92b1fbe3963f67541102285e29549937285b8ddb0191b65bc
                                                                                                                      • Instruction ID: 5193ff08a753ea53087e302d3248b2cceef70ea674f54d0dc1b5650077aa443a
                                                                                                                      • Opcode Fuzzy Hash: e4d3169c76db8bf92b1fbe3963f67541102285e29549937285b8ddb0191b65bc
                                                                                                                      • Instruction Fuzzy Hash: 1221B4303003052BD606A6A4EA44B7DF69BFB86B04F548438D6084F6A5CF75BC0D8397
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090C3328 Relevance: 8.9, Strings: 7, Instructions: 143COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199538564.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90c0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: (>p$(>p$(>p$P[u$P[u$x>p$x>p
                                                                                                                      • API String ID: 0-1146436099
                                                                                                                      • Opcode ID: f0a8be8523c3f7de8d9da895e2f070533edd56b418f248e58f75e4643bc6fcbb
                                                                                                                      • Instruction ID: bfcea16d28a134461d264da497482fd8338272cdaffecaa5dbfdac9336021368
                                                                                                                      • Opcode Fuzzy Hash: f0a8be8523c3f7de8d9da895e2f070533edd56b418f248e58f75e4643bc6fcbb
                                                                                                                      • Instruction Fuzzy Hash: 5E512435B50208AFCB44CF69C8949AEBBF6EF88710B158569F905AB361EB70ED05CB50
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090C3819 Relevance: 8.9, Strings: 7, Instructions: 131COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199538564.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90c0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: (>p$0=p$H=p$t=p$t=p$t=p$t=p
                                                                                                                      • API String ID: 0-3503545240
                                                                                                                      • Opcode ID: 8a68daeb6c9657c7110701a4d3478cb72b7305438dac0ab9ab9560b91d680bd0
                                                                                                                      • Instruction ID: 29c79a47ddd0f7566dc74659a4df8059fc9580dbbc0aa07c1c6599230c8cbc89
                                                                                                                      • Opcode Fuzzy Hash: 8a68daeb6c9657c7110701a4d3478cb72b7305438dac0ab9ab9560b91d680bd0
                                                                                                                      • Instruction Fuzzy Hash: 21416872A002009FC704DB68C955E6EBBF6EFD9B00F1584AEE505DB3A2CA71DC05CBA1
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EC978 Relevance: 8.8, Strings: 7, Instructions: 83COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Dxj$Dxj$Dxj$Dxj$Dxj$Dxj$Dxj
                                                                                                                      • API String ID: 0-2558996416
                                                                                                                      • Opcode ID: e312197c6a5a4c162813db10bcb6e4b024914f9c1b0e0e18b48068f8cb3ac649
                                                                                                                      • Instruction ID: 1b9e3df720ee88201621ffb43885d876fa74f640e4ad2ba9b0f34dca82f76a64
                                                                                                                      • Opcode Fuzzy Hash: e312197c6a5a4c162813db10bcb6e4b024914f9c1b0e0e18b48068f8cb3ac649
                                                                                                                      • Instruction Fuzzy Hash: E321D6303002066BDB066BA4E954CAEB797FB87B047104038DA15CF6A4CF74AD4ECBD2
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EED10 Relevance: 7.9, Strings: 6, Instructions: 375COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: (_]q$(_]q$(_]q$(_]q$(_]q$(_]q
                                                                                                                      • API String ID: 0-414434136
                                                                                                                      • Opcode ID: f655ca4b1cb9f5060dbc039ad211d48fd0c44dbf8f03521e9f6a0f315cfbde06
                                                                                                                      • Instruction ID: df7b06d35c32e26ec3ab7711f729f67a3ee6608a4cc435c6463c97f55ec41a10
                                                                                                                      • Opcode Fuzzy Hash: f655ca4b1cb9f5060dbc039ad211d48fd0c44dbf8f03521e9f6a0f315cfbde06
                                                                                                                      • Instruction Fuzzy Hash: 3CE1BD35B047489FCB059F68C4645AE7FB2EF86340F2489AAEC46DB391DA319D06CB91
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090ED548 Relevance: 7.6, Strings: 6, Instructions: 73COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Dxj$Dxj$Dxj$Dxj$Dxj$Dxj
                                                                                                                      • API String ID: 0-2954910372
                                                                                                                      • Opcode ID: 30ea605f7469986523a925d2792462fb661335335e0f2bb3263c24e411157b90
                                                                                                                      • Instruction ID: 4084880c6fb5d36464cc575d8d5419e009141454e585d0046b726dc30ce056df
                                                                                                                      • Opcode Fuzzy Hash: 30ea605f7469986523a925d2792462fb661335335e0f2bb3263c24e411157b90
                                                                                                                      • Instruction Fuzzy Hash: 0D11D5303003052BD207A6A5EA44B7EF69BFB86B08F548538D6044F6A4CF76AD1D83A7
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090EB5C0 Relevance: 6.5, Strings: 5, Instructions: 285COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199616049.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90e0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: X~d$X~d$X~d$X~d$`Q]q
                                                                                                                      • API String ID: 0-1272628562
                                                                                                                      • Opcode ID: ec5a12f048e1d03d3b7eee78856304a9130440fc2c0ddc8b098551cb24d8ea17
                                                                                                                      • Instruction ID: 414d524b1b951f9a6b6bd72346a4a4ff26b2f632ade8abcd134080aee98ba8f1
                                                                                                                      • Opcode Fuzzy Hash: ec5a12f048e1d03d3b7eee78856304a9130440fc2c0ddc8b098551cb24d8ea17
                                                                                                                      • Instruction Fuzzy Hash: 75B1EF31B0120A9FEB24CF29C55076AB7E3AF81704F14C969E9198F3A4CB74DC86CB91
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090C3CA0 Relevance: 6.5, Strings: 5, Instructions: 274COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199538564.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90c0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: ,Bp$DBp$PHp$\Bp$tBp
                                                                                                                      • API String ID: 0-3011293830
                                                                                                                      • Opcode ID: c9ad9415d2047249b9f1672a84dd6c22e7b05f0a472d03aba6643dabaedbc311
                                                                                                                      • Instruction ID: bd37846fa76763d8195677d5a633e8e14124e6f65d52328fe2107263df46464f
                                                                                                                      • Opcode Fuzzy Hash: c9ad9415d2047249b9f1672a84dd6c22e7b05f0a472d03aba6643dabaedbc311
                                                                                                                      • Instruction Fuzzy Hash: 5FB12374B501109FC714DB28C9A5E2EB7FAFF98704F518499E60ADB3B2DA72EC418B50
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090C2FC8 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199538564.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90c0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: `su$`su$hOp$hOp
                                                                                                                      • API String ID: 0-3973363348
                                                                                                                      • Opcode ID: b350ad816552db67bc3a2b9ee6b61948c71b026bd18e3b9082d23dc172aa3a43
                                                                                                                      • Instruction ID: ea274984ea84ff797607a2e1fc38e7d7fed7fa0b5a859dc889f2447e12b52753
                                                                                                                      • Opcode Fuzzy Hash: b350ad816552db67bc3a2b9ee6b61948c71b026bd18e3b9082d23dc172aa3a43
                                                                                                                      • Instruction Fuzzy Hash: 34512635B10108AFCB44DF69C994A9EBBF6FF88310B15C469E905AB3A1EB71ED05CB50
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                      Function 090C3309 Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2199538564.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_90c0000_e5oMWYWLig.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: (>p$P[u$P[u$x>p
                                                                                                                      • API String ID: 0-1834282838
                                                                                                                      • Opcode ID: 149abb02aa35cc7c78052f1b75ea95e741bafd1308c1c6dba2113cdb2ef34f59
                                                                                                                      • Instruction ID: 797f2480317c10e83f41a76a9be6c5614d0938c6f015be6aaa19a367dfd5eef5
                                                                                                                      • Opcode Fuzzy Hash: 149abb02aa35cc7c78052f1b75ea95e741bafd1308c1c6dba2113cdb2ef34f59
                                                                                                                      • Instruction Fuzzy Hash: D9417C35A14245AFCB45CF69C89499DBBF2FF8A310B16C4AAE805EB361DB31EC05CB50
                                                                                                                      Uniqueness

                                                                                                                      Uniqueness Score: -1.00%